Tuesday, March 13, 2007

Beware of RAW files


The cat is now well and truely out of the bag. On the 17th of December 2006, I reported over 15 suspected vulnerabilities to a range of software vendors reporting problems with handling malformed Camera RAW Files.

In the last two weeks we've seen Microsoft patch IView Media Pro where the version history (http://downloads.iview-multimedia.com/ivmp313vh.pdf) 'Fixed crash caused by importing corrupt DNG files.'.

Their internal analysis indicated that it was a reliability issue that did not require a security patch. All good. :-)

And today, Apple have issued a security patch to their operating system(s) (http://docs.info.apple.com/article.html?artnum=61798)
CVE-ID: CVE-2007-0733

I would advise users of Mac OS X or Mac OS X Server v10.4 -> 10.4.8 to schedule this patch for testing and rolling out.

Several other vendors are still working on patches, so clearly their problems will not be discussed, however by now the 'bad guys' have several information sources that there is an attack vector, so without discussing specifics that might harm the vendors still working on fixes, it's worth considering a few precautions we should all be taking over the handling of raw files.

**Digital Camera RAW files should be treated as if they were programs**

Therefore, you should not download unsolicited camera RAW files (either from the web, form peer to peer software or from email attachments). Even placing such a file in a folder may be enough to cause hostile code to execute.

Many of the potentially vulnerable mechanisms have no automatic patching mechanism, it is therefore important that you check to see if the maker of your software has released any updates. However in many cases they have not yet, so your only protection is being very careful with RAW files.

If you are an organisation that routinely handles 3rd party RAW files extra security measures are definitely in order. If you contact me I will be happy to discuss your requirements with you. Contact details are
here

A more detailed discussion on some aspects of the problem will follow later...

No comments: