by Adam C. Engst <firstname.lastname@example.org>
Everyone knows that the Macintosh is Y2K-compliant - that the Mac OS knows about dates well into the next century, right? But we've learned of a Y2K-related problem that, although it doesn't affect Macs, could be serious for numerous Internet users who work with Intel-based PCs.
Graphic utility developer BoxTop Software has isolated a problem with certain GIF files that results in GIF viewers (including the GIF viewing code in Web browsers) either being incapable of displaying certain images or suffering from a buffer overflow error. Travis Anton of BoxTop Software said that the "GIF2K problem," as they're calling it, results from "a core failing of LZW compression which initialized code tables with information based on the date. After January 1st, 2000, displaying GIF images on affected systems can result in a buffer overflow during decompression."
Although the inability to display a specific GIF image is the most common result of the GIF2K problem, the buffer overflow errors are more concerning because they open a door for malicious programmers to create non-Y2K-compliant GIFs. In "Security Issue with Email Attachments" in TidBITS-441, Geoff Duncan described buffer overflows like this: "the way to take advantage of a buffer overflow is to craft the precise binary data that will get past the target program's bounds checking, then somehow cause that data to be executed as if it were code. ... To execute malicious code, the extraneous data must be designed to target a particular email program running on a particular operating system."
In this case, we're not talking about email programs, but instead GIF viewing code. A malevolent developer could create a specific GIF containing a small viral code stub that would cause a buffer overflow error in one of the popular PC Web browsers. Even if the GIF2K-based buffer overflow was used only as the initial infection vector (since many PCs aren't susceptible - see below), a virus could replicate using other means once it had established itself.
Worse yet, other forms of attack could help spread such viruses. For instance, a cracker could break into a popular Web site, replace the main logo GIF with one designed to take advantage of the GIF2K problem, and rest assured that no one could track the real point of origin, even if someone were to identify the source GIF.
What's Affected -- From BoxTop's testing, the GIF2K problem seems to affect a variety of Intel-based PCs that use several popular BIOSes (Basic Input/Output Systems - the core code that gets the system running and acts as a basic interface to the hardware). BIOSes from AMI and Award are the most susceptible, though some versions of the popular Phoenix BIOS are also affected. GIF2K hasn't been detected previously because it requires both a susceptible BIOS and a specific video adapter. In essence, the BIOS screws up when handing the GIF data off to the video display subsystem.
It's worth noting that although many older PC BIOSes have more significant troubles with Y2K date issues, the GIF2K problem is essentially a separate concern. It's a three-way problem, requiring specific BIOSes in combination with specific video adapters and a not-uncommon organization of bytes that result from the decompression of particular GIF files. Thus, a susceptible PC is difficult to identify based on its hardware or manufacturer.
Unfortunately, the possible combinations are too multifarious to list, and although someone will no doubt write a utility that you can run on a PC to see if it's affected, that hasn't yet happened. Even if it does, what good does the information do? It's not worth swapping a motherboard or buying a new video adapter to avoid this problem; it makes more sense to focus on the problematic GIFs themselves.
GIF2K Checker -- That's precisely what BoxTop Software has done, with a simple Mac application called GIF2K Checker. Drop a GIF file or a folder containing GIFs on GIF2K Checker, and it scans all the files. After noting problematic files, GIF2K Checker recompresses them in such a way as to eliminate the problem with the way the GIF format uses LZW compression. These changes do not change the file size or modify the appearance of images in any way. GIF2K Checker requires System 7.5.5 or higher on a PowerPC-based Mac, supports Navigation Services, and is performance-optimized for today's high-end G3-based machines.
Although it's still unclear what percentage of GIFs are affected, the number is significant, and everyone who publishes a Web site containing GIF graphics should run their GIFs through GIF2K Checker. It's ironic that a Macintosh-based tool will help prevent PCs from experiencing the GIF2K problem, but since most Web sites, and especially most Web graphics, continue to be developed on Macs, it makes sense.
Of course, GIF2K Checker is a stopgap measure, and other solutions will no doubt appear in the months before 01-Jan-00. For instance, Web-based solutions will no doubt appear for those few webmasters who don't already use Macs. Web search engine companies may even start traversing the Web looking for affected GIFs and notifying webmasters.
Geeks Bearing GIFs -- We'll be covering the GIF2K problem in future issues of TidBITS, but for the latest up-to-the-minute information, pay attention to TidBITS Talk, where we'll note which mainstream applications take steps to correct the problem on their own, as well as any compatibility checkers and useful utilities that become available.