Apparently security researchers at Sophos have started using the term BWAIN, or “Bug With An Impressive Name,” to describe bugs that show up in the media with clever handles. For some reason, they believe that the security bugs named “Heartbleed”, “POODLE”, and “LOGAM” represent a new publicity trend. Maybe they do, but I guess I don’t see to much difference between that and the older “ILOVEYOU”, “CODE RED” and “Melissa” virus names.
Still, BWAIN is, perhaps, a useful moniker. It more-or-less distinguishes the overwhelming number of vulnerabilities found every day from those that rise to the level of gaining traction in the media.
In 2015, “Stagefright” was identified as a fairly serious vulnerability. Stagefright is a problem in certain version of Android’s multimedia processing libraries. Phones running compromised versions of Android could be exploited simply by processing a maliciously constructed image.
Last week, Sophos published a post describing a new bug very similar to Stagefright, “one of 2015’s most newsworthy BWAINs.” Apparently Apple devices, both MAC computers and iDevices, have comparable vulnerabilities in their own media processing libraries. The good news, I suppose, is that Apple has already released fixes.
The deeper issues, however, are what we learn from Stagefright and Stagefright-style bugs. A few key points from Sophos’ post:
- Image processing has become incredibly complex and with greater complexity comes greater bugs/vulnerabilities
- Image files are often processed automatically, without necessarily any interaction from the user
- Image files can be received and processed automatically from MMS messages sent by anyone
- It's possible to "weaponize" an image file, push via MMS to a user with a compromised OS, and take over the phone
The potential damage that could be caused by such a weaponized image is difficult to estimate. Even beyond taking over phones via MMS, images are used everywhere and are typically viewed as relatively low risk elements. Images are not dynamic nor are they programmatic constructs. They aren’t even data entry fields that must have their inputs sanitized and the associated sizes checked. When a security practitioner examines a website for potential vulnerabilities, the images and image handling are not usually the top suspects.
Because images are not typically threatening, computers render them automatically all the time. Accordingly, every app or application that uses the image processing library is potentially vulnerable. And unlike most vulnerabilities, it does not require users to do something unwise.
It is quite lucky that none of the bad guys appear to have gotten a weaponized image working.
But what about the future? Will there be more bugs in these image processing libraries in the future? Will clever hackers figure out how to exploit the next bugs better? What can we do?
Sophos only offered two suggestions:
- Patch early and often
- Disable MMS
I find this deeply unsatisfying. Reading this article reinforces many of the concerns I have been writing about over the past few months. I continue to worry that because of unprecedented levels of complexity, compromised is becoming the new normal, and that it will increasingly become expected for users to disable functionality to be “secure.”
I do not believe that this is a sustainable path forward.