Press Releases
For immediate release
2005-06-20
Codenomicon discovers critical software vulnerabilities
Codenomicon Ltd, a global leader in black-box robustness and security testing, announced that it has helped discover critical vulnerabilities in several widely used web browser applications. These vulnerabilities have been discovered and reported by NISCC (UK National Infrastructure Security Co-Ordination Centre) on Jun 16 2005. The vulnerabilities deal with the way web browsers handle various image file formats. The critical severity of the discovered vulnerabilities ranges from malicious remote code execution to denial of service (DOS).
By utilizing the Codenomicon Images Test Tool, NISCC was able to quickly identify the vulnerability in the web browser. File format vulnerabilities represent a new trend in software security threats. During the past 6 months several vendors have reported problems in the handling of different image formats. In addition to web browsers, Codenomicon Images Test Tool makes it possible to locate problems in other applications and devices with image handling capabilities, such as computer operating systems, DVD players, digital cameras, printers, mobile phones and even games consoles.
Codenomicon Images Test Tool is one of the newest additions to Codenomicon's extensive line of test tools for ensuring the security of different protocols and file format implementations. The image formats covered by the test tool include e.g. GIF89a, PNG, BMP, JPG, Microsoft Icon Resource (ICO), WAP-Forum Wireless Bitmap (WBMP) and X Consortium X Bitmap (XBM). Codenomicon's automated test tools help discover faults in implementations using invalid and anomalous inputs. This helps eliminate potential security vulnerabilities from software during the development phase and before it is put into production.
This category of security risks/vulnerabilities in parsing of various image formats has finally been gaining public attention since last autumn, but Codenomicon has worked with security testing in this area since 2003 by helping it’s customers avoid these problems proactively. Although Codenomicon’s customers do not typically disclose found vulnerabilities, Redhat has earlier promoted the proactive security testing using Codenomicon tools in open source projects such as Apache and OpenSSL, helping them fix the found security problems proactively.
More details:
NISCC
http://www.niscc.gov.uk/niscc/index-en.html
Advisory from Microsoft
http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx
Codenomicon Ltd
Codenomicon Ltd is a leading developer of innovative products for information security. Codenomicon products are intended for testing the reliability of security-critical software products and systems. Codenomicon products include tools for testing the reliability of Voice-over-IP systems, availability-critical encryption services, Internet core protocols and routing infrastructure. Codenomicon's customers include software development companies and enterprises that require absolute dependability for their products and networks.
Codenomicon recently secured a total investment of 2.8 million euros (3.6 million USD) during its first round of financing from two leading European venture capital firms, Eqvitec Partners and Prime Technology Ventures. Codenomicon was founded in 2001. Codenomicon is based in Oulu, Finland, with a subsidiary in San Jose, United States. www.codenomicon.com
