一套能用于检测主流格式文件（如JPEG和GIF等图像）漏洞的扫描工具即将发布。


‘黑帽’安全大会正在拉斯维加斯举行，与会的演讲者指出，应用程序处理不同格式的文件时会出现缺陷，进而演变成安全漏洞，安全专家对此抱有浓厚的兴趣。

这其中，有些出现的问题所造成的后果是严重的：打开一封邮件或浏览网上的一幅图片，这么简单的行为都可能导致受害者的电脑被劫持。微软本月初公开的3个极度危险的安全漏洞，其中的2个都是与文件格式缺陷有关。

类似的情况，很可能会大肆出现。目前，致力于安全信息情报的公司iDefense正在研制能自动扫描并发现文件内容存在问题的工具软件集。iDefense将于本周四的‘黑帽’大会中发布这个软件。

iDefense安全实验室主任Michael Sutton在‘黑帽’大会上作了有关的演示报告，他说：“我真的这样认为，对安全届而言，这类文件漏洞实在是小儿科。找出有问题的文件无需大费周张，但研制能发现问题的工具，却颇费心思。”

这套工具适用于Windows和Linux操作系统，能自动对文件先施行逐字节校验，然后再通过其它（外部）应用程序打开有问题的文件。打开文件时，如果发现问题数据，工具软件能立即将有问题的数据捕捉下来。据iDefense介绍，研究人员随即可以对这 些有问题的数据作详细分析，从中才可能找出问题所在。

Sutton说：“这套软件不是那种一个按键就能把问题一网打尽的工具。它只提供错误定位，以便研究人员作进一步的分析。”

这套工具，Windows版本称作FileFuzz，而Linux下则叫SpileFile及NotSpikeFile。它也能成为作恶的工具，iDefense显然希望它能保护用户。 Sutton表示：“水能载舟亦能覆舟。邪恶不是它的本质，我真的希望它能被用得其所。”

一位‘黑帽’与会者希望安全研求人员在使用这套工具时，能从善如流。来自国际科技应用公司（Science Application International）的安全工程师Joshua Feldman强调：“这些工具应该只用来寻找程序或文件中是否存在安全漏洞。它理应属于‘白帽’。”

这套工具是开源的，意味着任何人都可以对它扩充和改进。相应软件可从iDefense网站下载。

The hunt is on for file format bugs
July 28, 200
Joris Evers，Staff Writer, CNET News.com

LAS VEGAS--New tools could help bug hunters find vulnerabilities in popular file formats, such as the JPEG and GIF image formats.

Flaws in how applications handle those file formats are drawing interest among security researchers, according to speakers at the Black Hat security conference here.

Some of those bugs can be serious: A victim's PC could be hijacked by simply viewing an image on a Web site or in an e-mail. Microsoft issued three "critical" security bulletins earlier this month, two related to file format flaws.

There could be a significant increase in the discovery of such flaws. iDefense, a security intelligence company, is making available tools that let researchers automate the discovery of file format vulnerabilities. The company released the tools Thursday in conjunction with Black Hat.

"I really do think this is a low-hanging-fruit area for vulnerabilities," Michael Sutton, a lab director at iDefense, said in a presentation at Black Hat. iDefense itself has found several file format flaws. "We really did not work hard to find the vulnerabilities. We did work hard on the tools."

The tools, for Windows and Linux, can automatically tweak files bit-for-bit and then open the malformed file in any application. If an error is found in the opening of the file, the tool will capture the error data. The researcher can then investigate that data, which may point to a vulnerability, according to iDefense.

"These are not tools where you just push a button and the vulnerability shows up," Sutton said. "It pinpoints an exception and then you as a researcher have to investigate."

The tools, called FileFuzz for Windows and SpikeFile and NotSpikeFile for Linux, could be used with malicious intent, but iDefense hopes they will be used to help protect users. "These don't have to be used for evil purposes. They can be used for good, and I hope they will be," Sutton said.

One Black Hat attendee said he expects only well-intended security researchers to use the tools. "These tools only discover whether an application and a format could have a vulnerability," said Joshua Feldman, a security engineer at Science Applications International. "This is definitely for the white hats."

The tools are open source, which means others can expand and improve upon them. They're available for download from the iDefense site.