History repeats itself. Well, that’s how the saying goes anyway. To see the future we should look to the past.
So what have we seen in the recent past? The whole .wmf debacle at the end of 2005 certainly stands out. Have any lessons been learned from that? I think not, but I guess we will have to wait and see. Of course, the lessons should have been learned a long time before the .wmf exploits were ever circulated.
Why? Well, the .wmf vulnerabilities were more than likely found using some simple file format fuzzing techniques. These vulnerabilities were not the first that could have been found using file fuzzing. Indeed, we have also seen some other prominent examples of bugs in image formats that were probably found using this same technique. For example, we had the .png vulnerability in early 2005. We witnessed the icon vulnerability, also in 2005. What about the .jpeg/GDI vulnerability in 2004? All of these critical vulnerabilities could have been exposed using fuzzing techniques.
It still amazes me to see that after fuzzing for a mere 30 minutes, bugs can still be found, as has been demonstrated by Michal Zalewski. Although Zalewski’s work was carried out in July of 2005, I have noticed similar results in tests that I have carried out more recently. Of course, once a bug has been found, a lot of work needs to be done to test whether or not it is exploitable, but surely these types of fuzzing tests should be carried out by software testers before the product goes out the door.
With the current popularity of file format fuzzing, the release of file-fuzzing tools, plus the increasing price that companies (and others) will pay for vulnerabilities, surely it won’t be long before another image format is found to be vulnerable too. So looking to the future, what’s next? We should expect another image file format vulnerability pretty soon.
For more information on file-fuzzing tools, please visit
http://labs.idefense.com/labs-software.php?show=3
http://www.scadasec.net/secwiki/FuzzingTools
For related sites, please visit::
http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0289.html
http://labs.idefense.com/labs-software.php?show=3
http://www.securityfocus.com/columnists/391
http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
http://en.wikipedia.org/wiki/Fuzzing