Aussie spy agency gets first bug bounty credit

Australia's national spy agency has been credited with its first public vulnerability disclosure after reporting a remote code execution vulnerability in an HP Autonomy component.

The Australian Signals Directorate had previously reported vulnerabilities in a variety of software but it is the first time its work has been publicly recognised.

The agency like its overseas peers dabbles in both defensive and offensive security vulnerability and exploitation research.

It says the disclosure is part of its internal security function.

"As part of its Information Security function, ASD has previously disclosed vulnerabilities to vendors. This is the first time ASD has been publicly credited with the discovery and disclosure," a spokesperson says.

"ASD vulnerability research work has long served the wider information security community, but until now has not received public acknowledgement.

"ASD will continue to work with vendors on the discovery and public disclosure of vulnerabilities in software and hardware as appropriate."

The vulnerability (CVE-2015-5416) affects an Autonomy component called KeyView IDOL, which parses non-text documents to suck them into databases. The IDOL GIF parsing remote code execution hole is rated a severity score of 7.5 and allows attackers to execute arbitrary code on vulnerable installations

Victims must fall victim to phishing attacks or otherwise visit malicious pages or open malicious files to be exploited.

"It is possible to trigger a buffer overflow by specifying an overly large ImageWidth within a GIF. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the process."

A fix has been issued. ®