back to article Bug brace menaces Adobe Photoshop

Security researchers are warning of a brace of unpatched flaws in Adobe Photoshop that allow hackers to gain control of vulnerable PCs. The first vulnerability – which affects Adobe Photoshop CS2, Adobe Photoshop CS3, and Adobe Photoshop Elements 5.x – leaves users open to attack if they open malformed PNG graphics files. …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Arbitrary code from what? BMP, PNG ??

    PNG and BMP files are just graphic files, not binary. There is no way arbitrary code could be run from inside them since any binary would simply be read by the algorithms either giving a corrupted file result or just discarded..

  2. Anonymous Coward
    Anonymous Coward

    Sorry, but no.

    Firstly PNG and BMP files can contain _any_ binary data - including executable data (this has been shown a number of times - remember the shldocvw.dll vulnerability in Windows at the end of 2006?)

    If an exploit is found that allows execution of arbitrary code then it doesn't follow that you'll get a garbled image - instead you may get a partially rendered image with the remaining binary data escaping into userspace to cause whatever damage it is capable of.

    Windows users using limited user accounts should be less vulnerable to this form of exploit but that doesn't mean there is nothing to worry about.

  3. Colin Guthrie

    Erm

    "PNG and BMP files are just graphic files, not binary. There is no way arbitrary code could be run from inside them"

    Have you heard of buffer overflows??? You clearly do not know the first thing about security issues and will no doubt be tripped up by a corrupted windows mouse cursor....

    What planet have you been living on?

  4. Karl Lattimer

    Slap the previous poster, he's a moron

    Firstly, Graphic files, text files, everything on a computer is binary, regardless of the method of encoding used.

    Any buffer which is incorrectly terminated or allows for unspecified length copying larger than the size of the actual buffer can overflow into the stack. Similarly with much larger binary chunks (eggs) the heap can spew all over the stack, and point the EIP (extended instruction pointer) into a point inside of the buffer called a nop sled. The nop sled will then run a bunch of 0x90's all the way down to a shell code (the final and most important part of an egg), this in turn will execute and execute it will arbitrary code.

    All the programmer needs to do is accidentally allow for something larger than the allocated memory slot to be copied into that block, an easy mistake, originally discovered as a result of stray strcpy commands copying service instructions for eg. apache into other buffers, however it has been demonstrated on much more rudimentary routines such as memcpy.

    The standard fix for this kind of bug is strncpy or using sizeof and truncation methods to prevent a buffer larger than the target memory slot from being copied.

    Image files are not immune, you are a moron.

    Peace out reg.

  5. Craig Foster

    Not just data

    Most image formats allow extra information such as camera model, colour settings, etc. It also doesn't stop executable code being tacked on the end or something, so that the import filter crashes and runs the added code...

    Nothing is sacred :P

  6. Anonymous Coward
    Anonymous Coward

    Complete nonsense.

    "PNG and BMP files are just graphic files, not binary."

    Really? Care to expand on what format these 'graphic files' take when they're stored on your PC then?

    Read and learn: http://www.heise-security.co.uk/articles/74634

  7. Alex

    Re: Arbitrary code from what? BMP, PNG ??

    This is a good demonstration of a buffer overflow attack:

    http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html

  8. Chizo Ejindu

    And there i was thinking i was a geek!

    I had a look at that windowsecurity.com article and i must admit, a lot went over my head. So in simple laymans terms this is my understanding of it...

    Program X, takes file Y and runs whatever standard process against it. File Y, while appearing to be a certain length, is actually longer by whatever means and therefore overflows the allocated memory space into space reserved for program X? The excess data outside the allocated space is then immediately evaluated (by windows presumably rather than program X) and if found to be a properly formed executable automatically run with the priviledges of the original program X?

    Again i stress my understanding of the machanics of it all are very limited and i have a load of questions that i'll save for now but is that the general gist of it?

  9. hugh

    The man said it.

    >Arbitrary code from what? BMP, PNG ??

    >Posted Tuesday 1st May 2007 11:59 GMT

    >PNG and BMP files are just graphic files, not binary. There is no >way arbitrary code could be run from inside them since any binary >would simply be read by the algorithms either giving a corrupted file >result or just discarded..

    "It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt."

    Mark Twain (1835 - 1910)

  10. steve lampros

    1001 0100 010 1001 000100 01010

    . . . your mother!

    HAPPY MAY DAY!

This topic is closed for new posts.

Other stories you might like