[109678] in Cypherpunks
GIF2K Problem Affects PC Security (Was Re: TidBITS#474/01-Apr-99)
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Thu Apr 1 10:19:17 1999
In-Reply-To: <v04204c03b328a39e77e8@[204.57.207.41]>
Date: Thu, 1 Apr 1999 05:57:12 -0500
To: cypherpunks@cyberpass.net
From: Robert Hettinga <rah@shipwright.com>
Reply-To: Robert Hettinga <rah@shipwright.com>
At 3:00 AM -0500 on 4/1/99, TidBITS Editors wrote:
> GIF2K Problem Affects PC Security
> ---------------------------------
> by Adam C. Engst <ace@tidbits.com>
>
> Everyone knows that the Macintosh is Y2K-compliant - that the Mac
> OS knows about dates well into the next century, right? But we've
> learned of a Y2K-related problem that, although it doesn't affect
> Macs, could be serious for numerous Internet users who work with
> Intel-based PCs.
>
> Graphic utility developer BoxTop Software has isolated a problem
> with certain GIF files that results in GIF viewers (including the
> GIF viewing code in Web browsers) either being incapable of
> displaying certain images or suffering from a buffer overflow
> error. Travis Anton of BoxTop Software said that the "GIF2K
> problem," as they're calling it, results from "a core failing of
> LZW compression which initialized code tables with information
> based on the date. After January 1st, 2000, displaying GIF images
> on affected systems can result in a buffer overflow during
> decompression."
>
> <http://www.boxtopsoft.com/>
>
> Although the inability to display a specific GIF image is the most
> common result of the GIF2K problem, the buffer overflow errors are
> more concerning because they open a door for malicious programmers
> to create non-Y2K-compliant GIFs. In "Security Issue with Email
> Attachments" in TidBITS-441_, Geoff Duncan described buffer
> overflows like this: "the way to take advantage of a buffer
> overflow is to craft the precise binary data that will get past
> the target program's bounds checking, then somehow cause that data
> to be executed as if it were code. ... To execute malicious code,
> the extraneous data must be designed to target a particular email
> program running on a particular operating system."
>
> <http://db.tidbits.com/getbits.acgi?tbart=05018>
>
> In this case, we're not talking about email programs, but instead
> GIF viewing code. A malevolent developer could create a specific
> GIF containing a small viral code stub that would cause a buffer
> overflow error in one of the popular PC Web browsers. Even if the
> GIF2K-based buffer overflow was used only as the initial infection
> vector (since many PCs aren't susceptible - see below), a virus
> could replicate using other means once it had established itself.
>
> Worse yet, other forms of attack could help spread such viruses.
> For instance, a cracker could break into a popular Web site,
> replace the main logo GIF with one designed to take advantage of
> the GIF2K problem, and rest assured that no one could track the
> real point of origin, even if someone were to identify the source
> GIF.
>
>
> **What's Affected** -- From BoxTop's testing, the GIF2K problem
> seems to affect a variety of Intel-based PCs that use several
> popular BIOSes (Basic Input/Output Systems - the core code that
> gets the system running and acts as a basic interface to the
> hardware). BIOSes from AMI and Award are the most susceptible,
> though some versions of the popular Phoenix BIOS are also
> affected. GIF2K hasn't been detected previously because it
> requires both a susceptible BIOS and a specific video adapter. In
> essence, the BIOS screws up when handing the GIF data off to the
> video display subsystem.
>
> It's worth noting that although many older PC BIOSes have more
> significant troubles with Y2K date issues, the GIF2K problem is
> essentially a separate concern. It's a three-way problem,
> requiring specific BIOSes in combination with specific video
> adapters and a not-uncommon organization of bytes that result from
> the decompression of particular GIF files. Thus, a susceptible PC
> is difficult to identify based on its hardware or manufacturer.
>
> Unfortunately, the possible combinations are too multifarious to
> list, and although someone will no doubt write a utility that you
> can run on a PC to see if it's affected, that hasn't yet happened.
> Even if it does, what good does the information do? It's not worth
> swapping a motherboard or buying a new video adapter to avoid this
> problem; it makes more sense to focus on the problematic GIFs
> themselves.
>
>
> **GIF2K Checker** -- That's precisely what BoxTop Software has
> done, with a simple Mac application called GIF2K Checker. Drop a
> GIF file or a folder containing GIFs on GIF2K Checker, and it
> scans all the files. After noting problematic files, GIF2K Checker
> recompresses them in such a way as to eliminate the problem with
> the way the GIF format uses LZW compression. These changes do not
> change the file size or modify the appearance of images in any
> way. GIF2K Checker requires System 7.5.5 or higher on a PowerPC-
> based Mac, supports Navigation Services, and is performance-
> optimized for today's high-end G3-based machines.
>
> <http://www.boxtopsoft.com/GIF2K/>
>
> Although it's still unclear what percentage of GIFs are affected,
> the number is significant, and everyone who publishes a Web site
> containing GIF graphics should run their GIFs through GIF2K
> Checker. It's ironic that a Macintosh-based tool will help prevent
> PCs from experiencing the GIF2K problem, but since most Web sites,
> and especially most Web graphics, continue to be developed on
> Macs, it makes sense.
>
> Of course, GIF2K Checker is a stopgap measure, and other solutions
> will no doubt appear in the months before 01-Jan-00. For instance,
> Web-based solutions will no doubt appear for those few webmasters
> who don't already use Macs. Web search engine companies may even
> start traversing the Web looking for affected GIFs and notifying
> webmasters.
>
>
> **Geeks Bearing GIFs** -- We'll be covering the GIF2K problem in
> future issues of TidBITS, but for the latest up-to-the-minute
> information, pay attention to TidBITS Talk, where we'll note which
> mainstream applications take steps to correct the problem on their
> own, as well as any compatibility checkers and useful utilities
> that become available.
>
> <http://www.tidbits.com/search/talk.html>
;-).
Cheers,
RAH
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
