Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer]

From: "Dom De Vitto" <dom () DeVitto com>
Date: Mon, 2 Sep 2002 23:59:59 +0100
Right on.

And I thought about this attack vector back in, ooooh, '93 (!)
(back in the days when people said:
  "you *can't* catch a virus from just reading an email!"
 if they only knew what we know now.... :-( )

Yep, a datafile is just like interpreted pseudo code, no different
to a flash file.  I do think that that attack vector had been
checked over to death, but then why does a particular .gif cause
such woes for IE, as discussed in another thread....?

Dom De Vitto

-----Original Message-----
From: Roland Postle [mailto:mail () blazde co uk] 
Sent: Monday, September 02, 2002 6:54 PM
To: vuln-dev () securityfocus com
Subject: GIFs Good, Flash Executable Bad [Was: Plain text files in
internet explorer]



GIFs can't exploit your
system.  Flash files can, just like any executable.


This myth that static data files such as gifs, jpegs and zip files
/can't/ exploit your system really gets to me. Virus scanners continue
to scan only 'active' content, but some applications are in such
widespread use now that it's only a matter of time before a
vulnerability in say, Winzip's file handling, is exploited in a virus
that infects .zip files. Or a vulnerability in IE's jpeg module that
allows jpegs to carry viruses. It's not 'just like any executable', but
it's not automatically safe either.

- Blazde
Previous By Date Next
Previous By Thread Next

Current thread: