The exploit code circulating right now has all sorts of “have fun” comments. I think there should be a sports channel dedicated to software security.

This particular incident might show up on the “competitive buffer overflows” program.

Or how about a reality show that pits the common corporate development manager and engineers against the wily security consultants and insider threats? I would include outside threats, but frankly I don’t think the outsiders have a chance without some kind of inside connection.

Castles were either breached by long battles of attrition and overwhelming odds, or someone “found” a weakness by paying an insider or someone who had at some point been inside…

Anyway, the breach was reported about a day ago and I have not seen any response from the vendors yet. He suggests that you just need a target user to open a special PNG file in Photoshop or Paint Shop Pro on Windows XP and you can do nasty things like open a backdoor.

Multiple image editing applications are prone to a remote buffer-overflow vulnerability. This issue occurs due to a failure by the software to properly bounds-check user-supplied input prior to copying it to an insufficiently-sized memory buffer.

Successful exploits allow remote attackers to execute arbitrary machine code in the context of a vulnerable application. Failed exploit attempts likely result in denial-of-service conditions.

Perhaps the most annoying thing about this kind of attack vector is that images flow so freely today and Photoshop and Paint are so common. Note that the PNG attack follows the announcement last week by the same author that .BMP, .DIB and .RLE are also suitable methods of attack.