Are Hotlinked Images Now a Liability?

ConcernedImage asks: "I work for a company that has a strong online community, with a full set of message boards that currently allow external image hotlinking. With the new WMF exploit out there, all it takes is one user to link to a bad image, and suddenly it's -our- web site inflicting the computers of others (at least, as far as our users are concerned). Is allowing hotlinked images a legal liability now? What steps are other online communities taking to protect themselves and their users against this?"

Hotlinking WMFs in a webpage

[Orrin+Bloquy]

I believe that's the technical definition of stupid.

Re:Hotlinking WMFs in a webpage

[Elwood+P+Dowd]

The WMF vulnerability applies to any image displayed by internet explorer. It uses inspection rather than extension to figure out the file type.

Re:Hotlinking WMFs in a webpage

[FooAtWFU]

How are you supposed to tell? It's one thing to check file extensions, but you could still have something sending a different Content-Type: via CGI, or an HTTP redirect, or something. Does this mean that you should check every image hotlinked by users' code for safety? What if the image is subsequently changed? What if it triggers an exploit in your checking library? It's all very troublesome. Maybe you should download the image in question and check it and refer users to the downloaded version instead of the one originally linked- but then it's your image, your bandwidth, your copyright violation worries, and if it's like on many online bulletin boards someone will want a little cutesy image in their forum signature that IS dynamically generated (slideshow?) and maybe has some sort of hit count or echoes your IP address and browser or something. So what do you do?

Re:Hotlinking WMFs in a webpage

Using the extension would be wrong behaviour anyway. The browser should obey the Content-type.

Re:Hotlinking WMFs in a webpage

[civilizedINTENSITY]

"The browser should obey the Content-type." That isn't the offical "right" behavior. Rename your bitmap containing .wmf as .jpeg and it looks and acts like a jpeg (with the ability to run code, unless patched.)

Re:Hotlinking WMFs in a webpage

[cyberkreiger]

From RFC2616:
      "... If
      and only if the media type is not given by a Content-Type field, the
      recipient MAY attempt to guess the media type via inspection of its
      content and/or the name extension(s) of the URI used to identify the
      resource."

Re:Hotlinking WMFs in a webpage

[mysidia]

Check both and always prompt the user to make a selection about how to open the file if the File extension and the Content Type are not consistent.

The reason to do that is that some might try to trick others by using a file with a misleading name, such as naming a PNG "foo.jpeg"

Re:Hotlinking WMFs in a webpage

[civilizedINTENSITY]

Sorry, I wasn't specific. I didn't mean the real defacto offical "right behavior", as an RFC would be, but rather the dejure microsoft offical right behavior. What you've shown is that the microsoft behavior doesn't meet the RFC. Like MS Java? MS JavaScript? Not surprised...

Re:Hotlinking WMFs in a webpage

[shadowmas]

Since the question is basically about what a online community / forum can do to not be liable for the damage done by a hotlinked image, the simplest solution would be to block allow people to hotlink images however to not show them to the viewers of the page by default but to give them a option which they can enable (after agreeing to a disclaimer) which will dislay the hotlinked images in the page/site. this is pretty much the same concept which is used by email clients to disable tracking images which come embedded in spam emails.

Hotlinked images always were a liability

[bartjan]

Hotlinks always were a liability, or at least have been from the moment the goatse domain was registered...

Captain Obvious Raises His Hand

[L.+VeGas]

Uh... not allow hotlinking to wmf files?

Re:Captain Obvious Raises His Hand

[Inominate]

There is no way to tell.

Check the filename? Ok the malicious webserver will lie about the filename vs the mime type.
Check the file itself? Ok, now the malicious webserver just serves different files for different sources.

There's no automatic way to prevent wmf files from being linked to, which is what the whole point of TFA is.

Re:Captain Obvious Raises His Hand

[heavy+snowfall]

Accept no new external image src= links until after a fix has been pushed out over Windows update? Maybe require all forum sig images to be hosted by you?

Re:Captain Obvious Raises His Hand

[mysidia]

There's no automatic way to prevent wmf files from being linked to, which is what the whole point of TFA is.

Have the forum automatically retrieve a copy of the image from the URL entered.

Automatically reject the image if it is of a different type than claimed, is too big, is a WMF, doesn't exist, etc...

Automatically repeat the check on a periodic basis: and automatically remove the image if it changes.

Remove image-posting privilege or ban from the forum anyone whose image submissions are removed (or fail) on a sufficient number of occasions.

Make "show user-submitted inline images" an option that visitors to the site have to specifically enable, which involves accepting an agreement.

Re:Captain Obvious Raises His Hand

Isn't it risky having your webserver automatically hit a file that is specified by a user? A user that is clearly untrusted as you are needing validation of all the image.

Will your site be obeying robots.txt? If so then validation is pointless just add deny line into robots.txt. Some sites don't appreciate being hit by half the webservers in the world at once because someone added there image to a forum. Couldn't this be used as a way of launching DDOS attacks against any webserver that hosts an image?

You seem to be forgeting that webservers have the abillity to lie when serving up any file. If the automatic load is imediate then simply use a server side script, like PHP server the image and for the first N number of hits log IP and server a valid .jpg file. The websevers IP is not going to change, unless you have multipule servers which only big sites can aford. Whenever a hit comes in for one of the first used IPs server a valid .jpg just incase its a validation check. Using things like apache's rewrite you could have a url like http://www.example.com/bad/image/12345/file.jpg which would pass name validation which could easilly be changed to http://www.example.com/badImage.php?src=12345 and for every differant src restart the process of monitoring the first few hits. That way a user can use the same bad image for any site that allows image submission.

Remove image-posting privilege or ban from the forum anyone whose image submissions are removed (or fail) on a sufficient number of occasions
Closing stable door after horse has bolted. Automatic checks can be falsified as shown above. Human checks can take to long. Plus if the attack is subtle enough te infected user won't no where it came from. If its sever enough the user might be unable to inform the site or may be more worried about recovering there PC. By which time enough people will have been hit by the image.

Although I mentioned a specific way of avoiding that kind of validation there are of course numerous other ossible attacks.

Make "show user-submitted inline images" an option that visitors to the site have to specifically enable, which involves accepting an agreement.
I do agree completely with this. However its more of a legal solution then a technical solution. Of course users can block images from there browser or block remote images (just make sure you don't allow users to upload an image. However uploaded images can be validated, block wmf based on begining of file.)

The real problem is browsers see an image and assume its safe to try and display it. How could it possibly do damage? Oh dear some moron decided it would be OK to allow an image file to include executable code. A browser won't download an executable and run it for you without asking just because someone stuck it on a webpage but it seems its OK to do this with an image.

Everytime you allow contant to be inserted into your webpage thats not your content then you run this risk. And its not just things like forums or comments. Retreiving RSS fees and adding them to your page is adding externel content, as is using advert scripts like googles. The only safe way would be to avoid any user submited data at all.

Just released that you could of course require all images to be moderated by a human before being displayed att all, however this would reduce usabillity as the image could be an important part of the post and depending on how many staff you got on your site and your sites size it may take a while to get through all the images. Plus how many people would agree to "look at this image to make sure it don't destroy a user computer", would you be willing to risk your machine? not without one hell of an incentive!!!

Re:Captain Obvious Raises His Hand

[The+Clockwork+Troll]

That doesn't work because existing hotlinked image URL's can still be compromised.

Taking steps?

[Schezar]

What steps are other online communities taking to protect themselves and their users against this?"

Using Linux? Using a Mac?

I kid. But seriously, the issue is PC security, not server security. If your PC is vulnerable to an exploit simply for viewing an image, the problem is YOURS, not the server that happens to link to an image that happens to use that exploit.

Re:Taking steps?

[Scarblac]

Yes, but if it does affect 99% of your users, and people trust your site not to be malicious so they keep coming, but you allow random people to post images to your forums... turning that off for now seems like a good idea to me.

Re:Taking steps?

[jZnat]

99%? 1997 called; they want their browser statistics back.

Besides, it's Microsoft's fault for the WMF format, allowing this exploit to be used, not patching it quickly, and many other problems regarding MSIE. If they aren't liable for the WMFs, nobody but the users who post them are.

Re:Taking steps?

[Scarblac]

99%? 1997 called; they want their browser statistics back

It's a Windows flaw, not a IE flaw. Firefox is vulnerable too.

Re:Taking steps?

[civilizedINTENSITY]

"It's a Windows flaw, not a IE flaw." Agreed, you can trigger the code by entering a directory with File Explorer. Parsing to build thumbnails is enough. Clicking on the file (say to look at "properties", or to delete it) can also trigger it.

Re:Taking steps?

[damiam]

You can't be infected with Firefox just by viewing a webpage. You have to be stupid enough to be download and run the infected file.

Hehe

Hotlinking is now officially a lose-lose situtation for all parties involved.

It's like asking...

[toddbu]

if someone steals your gun and kills someone, are you liable? It's unlikely that you'd be liable, but it's really up to the people doing the decision making. Always make sure you have a good lawyer, just in case.

Re:It's like asking...

[MrWa]

While the website owner may not be legally liable there is the concern that customers/visitors/users/etc. of the website will not distinguish between hotlinked images and images hosted by the company. Those people that visit the website for [big web company] and get attacked by a virus will not care or bother to investigate if the image hotlinked or not - they will simply think that [big web company] has a crappy, insecure, unsafe website. Sure, you may not be liable for the damages (but, really, who in the computer industry is held liable for this type of thing ever?) but the commercial ramifications of not taking adequate precaution is serious enough to warrant relooking at the policy allowing hotlinking.

Re:It's like asking...

[Mr.+Shiny+And+New]

This problem exists for sites that display ads from third parties as well. A site I know was surprised to find out that a third-party ad provider was negligently letting their advertisers serve content that tried to exploit IE in order to install spyware. Needless to say, this company immediately terminated its relationship with the third-party provider. However there are lots of times when it's extraordinarily useful to allow users to link to or upload content for other users to see.

Take Flickr for example. If a JPEG vulnerability is found, simply browsing Flickr could exploit your browser. Flickr hosts the images themselves, so they'd essentially be hosting the exploit. How can they protect themselves from malicious users? They will have to be creative, perhaps doing a JPG->bitmap->JPG conversion every time (maybe they do that already?)

Anyway, the point is you can never trust a user or a third party when your business and reputation are at stake.

I see three options:

[jargonCCNA]

1. Disable external image linking.
2. Tweak your forum software to only allow hotlinks to .gif, .jpg and .png.
3. Remind your users that your company is not responsible for what people post to the forum.

I suppose you could always cache the images people link to in order to virus-scan them, but that seems really time- and space-consuming.

Re:I see three options:

[WTBF]

2. Tweak your forum software to only allow hotlinks to .gif, .jpg and .png.

The exploit worked even if the files had the wrong extension (of gif, jpeg etc).

Re:I see three options:

[Bogtha]

Tweak your forum software to only allow hotlinks to .gif, .jpg and .png.

That's impossible. You might be able to restrict it to images with URIs ending in those extensions, but extensions are largely irrelevant to the WWW, it's the Content-Type header that matters, which can't be checked because the person serving it can change it at any time. To add to the complication, because of the way many browsers are implemented, even if you could enforce the Content-Type restriction, the browsers would ignore it anyway.

Re:I see three options:

[jargonCCNA]

You might be able to restrict it to images with URIs ending in those extensions, but extensions are largely irrelevant to the WWW, it's the Content-Type header that matters, which can't be checked because the person serving it can change it at any time.

I know it wouldn't do much good for precisely that reason, but it would take care of accidental links to the malicious images.. say someone makes one of these WMFs of something cute. Some granny with enough ability to upload images to a server (I was going to say .Mac, but I'm fairly certain Macs don't display WMFs) decides to link to it in her signature or her userpic and pow, everybody using Windows gets screwed...

Re:I see three options:

[Zocalo]

You should probably be doing #3 anyway, but:

4. Have your users upload their images to your server, only supporting format(s) that can be verified as being what they claim and cannot directly execute scripts like WMF files can (GIF, JPEG, ...). Politely refuse to accept images that are *not* what they claim; Joe might have saved a GIF document with a .JPG extension by mistake after all.

Now that does not preclude there being some means of exploiting the relevent image handler on the web browser's PC to execute code embedded in the file, and indeed there is no protection against this. In that eventuality however you can at least disable the upload of new images and scan the ones you already have as soon as the tools to do so become available, moving anything suspicious out of the live environment for further analysis. You've shown as much due diligence as could reasonably be expected, probably more that most others in your situation, and ultimately the root cause of the problem is completely out of your hands in the hands of the broken graphics viewer being used by the web browser.

Re:I see three options:

[jargonCCNA]

Have your users upload their images to your server, only supporting format(s) that can be verified as being what they claim and cannot directly execute scripts like WMF files can (GIF, JPEG, ...).

Yeah, but the interface for doing that is always pretty kludgy, from what I've seen.. but that was my point behind caching the images that people link to. You could do it entirely transparently and ensure that the images are safe... it's just a matter of providing enough space.

Re:I see three options:

[daviddennis]

I think the severe problem here was that regardless of the content-type header, Internet Explorer would still recognize the signature at the beginning of the file as WMF and therefore display it as WMF.

Is there any canned code to verify that an image is in WMF format? It seems to me that there's no reason not to ban WMF uploads since I can't think of the last time I heard of someone actually wanting to use that file format for its charactertistics.

D

Re:I see three options:

[Bogtha]

Is there any canned code to verify that an image is in WMF format?

The identify utility that is part of ImageMagick can do it.

Re:I see three options:

[FooAtWFU]

caching the images that people link to. You could do it entirely transparently and ensure that the images are safe... it's just a matter of providing enough space.

The problems now become: your bandwidth, your potential copyright violation, your disk space and processing time, your risk if there's an image-based exploit on your image-checker (always a remote possibility)... and in many of the random phpBB communities and such on the Web, all those are in short supply- and moreover, many of them have users who like their dynamically generated image from their own webserver and use it for some sort of webcam or "This is your IP address and user-agent" or system-uptime script or slideshow...

Re:I see three options:

[civilizedINTENSITY]

But it wouldn't "take care of accidental links to the malicious images" because "someone makes one of these WMFs of something cute. Some granny with enough ability to upload images to a server" will upload the .gif, or .jpg, or whatever extension is used. How is she going to tell it is *not* a .gif, or .jpg? Hexedit?

Re:I see three options:

[jargonCCNA]

your bandwidth
..Oh yeah, I forgot how expensive traffic is..

your potential copyright violation
I don't know, if you disclaim responsibility for what people post, you could make a case that the poster is the copyright violator because they weren't given a licence to distribute the material and that your server merely did as it was told, on the assumption that the poster did have the licence.

your risk if there's an image-based exploit on your image-checker (always a remote possibility)
True, but also much easier to deal with if it arises.

in many of the random phpBB communities and such on the Web, all those are in short supply
But the article submitter said, "I work for a company that has a strong online community," so I was working on the assumption that they'd probably have the income to handle at least the disk space issue.

use it for some sort of webcam or "This is your IP address and user-agent" or system-uptime script or slideshow
As far as I'm concerned, people who put their webcams or uptime in their sigblocks should be shot, along with anyone who uses one of those 'this is your IP/user-agent' scripts. They're retarded. It's easy information to get and doesn't necessarily reveal any looming security threats.

Y!PP did block inline images

[Scarblac]

The forums of Puzzle Pirates switched off all images when it became clear how bad this exploit is. They later turned back on avatars, since they're checked by the server (only accepts JPEGs and GIFs of a certain max size, and then stored server side, as far as I know).

The original announcement said they'd be back when Microsoft release their official patch, but I think PP is giving everybody time to patch first.

ASK A LAWYER !

[redelm]

You want and need good legal advice. That can only be given by apocryphal competant lawyers.

IANAL, but IMHO you most definitely are liable for unusual hazards to present to visitors. I'm not sure how you avoid liability for libel and copyright violations except perhaps by prompt action. Common-carrier is not common-storer, although public warehouses have existed for centuries.

Here, it is very easy for you to wrapper IMG tags to require a click, and maybe tag them with source URL for those many lusers who surf with Status lines turned off, or who have no clue to look. Then at least the user specifically asked for it, rather than having it unknowably thrust upon her when hitting a previously-safe page.

This will always be a problem.

[linuxkrn]

You see, even if you did disable hotlinking to images, someone could just as easy post a link to a picture on another server naming it other then WMF. And say check out this cool picture. Granted the user has to click on the link then, but tell me most users don't do that anyway?

Also, what about javascript? All the script has to do is call for the image to be loaded, not even displayed. The problem is much larger then just stopping sites from hotlinking images.

Your question is that it's a liability, I would say no. You didn't host nor did your site/staff post malicious WMF. But could your reputation suffer, of course.

Re:This will always be a problem.

[MadAhab]

You see, even if you did disable hotlinking to images, someone could just as easy post a link to a picture on another server naming it other then WMF. And say check out this cool picture. Granted the user has to click on the link then, but tell me most users don't do that anyway?

Certainly it's not efficient to check all the time in advance - or else, the only plausible strategy is to cache - that way you can guarantee the content being delivered. Now what precautions are reasonable?

Also, what about javascript? All the script has to do is call for the image to be loaded, not even displayed. The problem is much larger then just stopping sites from hotlinking images.

Right. It's not always about the content of the images. Sometimes the means of loading the images are, on their own, offensive.

Your question is that it's a liability, I would say no. You didn't host nor did your site/staff post malicious WMF. But could your reputation suffer, of course.

It comes down to this; if someone can display a picture on your page, what they display can make you look bad. They don't even need to do something illegal. And that can cost you, whether or not there is any legal liability involved.

images are like ways to include pages in a way

[insertwackynamehere]

i know, theres a lot of restrictions on what images can do and not included files, but i mean, images can do a lot of things. not only are there vulnerabilities in actual image files themselves, but its easy to create a php file with the extension ".png" and headers telling the browser it's a png file. then you just make sure you render a png image as the end result when the script is embeded with an image tag, and in between that you can do a lot of things. you can get IP addresses and other information and there are no doubt xss vulnerabilities as well, you're pretty much including a php file as if it was an image. there definatly are limitations, its not like you are just using a ?php in the webpaged linked, but there are plenty of vulnerabilities as well.

Great

[sharkey]

With the new WMF exploit out there

There's a new WMF exploit out to take the place of the one patched yesterday?

Re:Great

[FooAtWFU]

No, but you can't be sure that everyone patched themselves. I mean, maybe you can on Slashdot, but certainly not on half the random phpBB user communities across the web.

Don't worry too much about it.

[Hanashi]

I can understand why you'd be concerned about the possiblity of your website serving exploit code to unsuspecting users. However, I'd like to point out that the problem is not unique to your site, nor does it only affect sites that allow users to post images. I've posted a writeup about a security incident I investigated that involved a malicious WMF being distributed through syndicated advertisements, and I know the same thing happened when the GDI vulnerability was discovered. The bottom line is that it's very difficult to lock down all the attack vectors for something like this, and your website is probably no worse than anyone else's at this.

Patch is out there.

[WhatAmIDoingHere]

Microsoft released a patch for this. Try again, Slashdot.

Re:Patch is out there.

[mh101]

Doesn't mean every Windows PC out there will be magically patched within 24 hours... even with automatic updates turned on, it's still not like Windows is checking every 5 minutes for new patches.

Re:Patch is out there.

[JesseMcDonald]

How about this: On any page which hosts images, add a link to a WMF file with the patch. That way the first time someone opens the page in an exploitable program, the patch is applied automatically and the remaining images can't cause any damage.

Only partly joking...

Hi

and welcome to slashdot.

You seem to have missed some important information in the past few days. THE MALICIOUS WMFs CAN BE RENAMED AS .JPGs!

now, stop being such a dickhead.

The WMF bug was a big disaster

[SmallFurryCreature]

Sadly MS handling of it was typical and the windows user reaction to it was typical as well.

I am of course a geeky nerdy never washing never getting laid linux user who hasn't had to worry about security alerts at all in 2005 (Check somebody elses post in one of the CERT stories where he shows that there have been no cyber alerts for linux in 2005) the last I think was in 2004 or 2003 relating to opensll or ssh.

MS response was idiotic and shows they totally do not care about their customers. In the best case they should have made it very clear to every windows user that browsing the net was dangerous and put out a simple patch that disabled WMF completly or at least put up a warning before a wmf like file is accessed even if it is a WMF disguising itself as a jpeg.

Oh but this could break existing products? WHO THE FUCK CARES? It is like worrying that cutting off the electricity and gas after an earthquake is going to make your icecream melt. The WMF exploit is a disaster and that means it is time for drastic measures.

Windows users should have been up in arms. Browsing the internet became a no-no even with non-porn sites. Only thing that has to happen is 1 person on forum having a exploit for their avatar image and bang.

I have seen several people being affected by this exploit. Sure some were stupid free porn sites surfers but not all of them. Just normally using their computer and BAM. Infected.

We have been getting a lot of comments from MS fanboys about how much stabler XP is and that MS is getting a lot more serious about security. HA. This WMF thing has shown that MS is still the same MS of old. Nothing has changed. A full week to patch exploit affecting all your users and the all the MS fanboys can do is sputter "They had to test it" yeah right. Oh well at least it seems that this time the patch actually works. That gotta be a first.

Oh well now to answer your question. There is nothing to do here but disable unchecked content on your website. That means you gotta host every image yourselve and make sure you check that it is what it claims to be in your upload code.

The MS patch won't change a fucking thing. An awfull lot of MS users never patch up so this WMF exploit will be with us as long as that code red crap and every other windows exploit. If I am ever diagnosed with an incurable disease and only have a few weeks left, gates is going to get a bullet in the head.

Re:The WMF bug was a big disaster

For an alleged Linux user without a care in the world you sure got your panties in a twist.

Re:The WMF bug was a big disaster

[ScrewMaster]

... gates is going to get a bullet in the head.

Don't leave Ballmer out of this. Save a cartridge for him: any number of Slashdotters would be willing to provide a spare bullet ... maybe even two (you know, just to be sure.) Although, now that I think about it, I'm not entirely sure that a wooden stake wouldn't be more appropriate.

Let the user know, don't hide the flaw.

[JoeCommodore]

When you detect a Windows system give them a different app that strips out all the images for thier own safety and inform them of the fact (also mention that accessing the site via Mac or Linux, being more secure, allows image viewing). Why hide the fact from the user, it's thier computer at risk.

Use a diagnostics wmf

[heson]

You want to craft a wmf thats shows this url http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx to users in need of help. Might oper for more legal trouble though...

Here, let me spell it out for you:

[Hosiah]

*cue piano*

'F' is for the Fear you won't have anymore.
'I' is for the Internet you love to peruse.
'R' is for the redundant mod this post will score.
'E' is for the Explorer you'll no longer use.
and..
'F' is for the Favorite of so many on the Net!
'O' is for the Open Source in "FOSS"!
'X' is for the Xtra plugins you're bound to get.
And that spells "FIREFOX": http://www.firefox.org/Tell your boss!

Re:Patch is out there. YES, install FireFox

http://www.mozilla.org/firefox
http://www.mozilla.com/products/

http://www.opera.com/download/
http://www.opera.com/

http://www.theopencd.org/ Download the 650MB ISO image file and burn to CD share with your friends who have less bandwidth to the internet to install FireFox broswer and Thunderbird e-mail client on their Windows PC.

Make a WMF virus variant that pops open the http://www.mozilla.com/firefox/ website to give the user an opportunity to click "Install FireFox" for windows. Hey I did not force him to install anything, but just pointed it out.

Remember, Its the thought that counts! I was just making it easier for the end user to use his or her computer Virus free.

Fred

to fix this problem http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx