ALERT: Irfan multiple vulnerabilities

luke_church

All,

Do not load images from an origin you cannot trust in Irfan

A vulnerability in Irfan's graphics code has been found. Helpfully (cough), this was declared to the world by someone publishing an exploit.

I am also aware of several other issues with Irfan that are related to a vulnerability discussed here: http://www.dgrin.com/showthread.php?t=56268

and here: http://lukechurch.blogspot.com/2007/03/beware-of-raw-files.html

Irfan have not replied to my attempts attempts to notify them of the problem. As far as I am aware, Irfan has no update or patching mechanism. As I have no confidence in their ability to resolve the problem, I had not made a public decleration, others appear to have felt differently.

I strongly advise that use of Irfan is strictly limited to trusted images of any file type. I do not forsee a solution to this series of problems anytime soon.

HTH,

Luke

wxwax

Hi Luke,

Is the issue structly RAW files, or all files?

luke_church

wxwax wrote:

Is the issue structly RAW files, or all files?

My advice is all files.

luke_church

And whilst we're at it, Microsoft have released an out-of-band patch for a remote code exploit handling .ani files.

http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

In the short run, this is a more serious issue than the RAW files, but has the advantage of targeting an organisation that has a patching procedure. So it's probably worth applying the patch as soon as you can. In the long run, I suspect the issues with the likes of IrfanView will be with us for a much longer time.

Image files are not to be trusted.

cabbey

Man it's nice to have a security researcher around here.

Thanks for the heads up on this one, I've already alerted a couple folks I know that love irfan and use it as their default viewer while dealing with spam on a help desk.

claudermilk

Just one thought regarding the comment on Irfan's responsiveness. You do realize it's one guy coding the app (Irfan Skiljan), correct? It does take him some time to get back to you but he should sooner or later. I had some strange problems back when the 20D first was released & emailed with him directly--it just took a little time. I'll bet he's looking at the issue & has little time to reply to emails. In any case, it's good to know there is a possible issue.

luke_church

claudermilk wrote:

Just one thought regarding the comment on Irfan's responsiveness. You do realize it's one guy coding the app (Irfan Skiljan), correct? It does take him some time to get back to you but he should sooner or later.

Sure. I have some sympathy with his position, I'm not exactly short of things to do either . However I did report the issues over a 100 days ago. As he has not contacted me at all, I have no idea whether the email was read, or just vanished into a spam filter.

Unfortunately, there were also many other organisations on the list that I contacted, I don't really have time to go chasing them up. I committed time to the ones that engaged me in discussion over the problem.

I appreciate that my inital description may have sounded harsh, it wasn't intended that way. My comment that I have no confidence in the issue being resolved is not an accusation of incompetence. It's due to the problem of how do you deploy a patch to over a million users who you can't identify?

Without a patching mechanism I don't have much hope of this issue being resolved.

However, you're right, and I have much less sympathy for major companies who really should know better who similarly failed to respond to my communications.

Hope this clears up why I wrote what I did...