Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer]

From: Blue Boar <BlueBoar () thievco com>
Date: Tue, 03 Sep 2002 08:13:21 -0700
This is one of my favorite vulnerabilities:
http://online.securityfocus.com/bid/1503
It's an overflow in the JPEG handler in Netscape.
I don't know of one for GIFs off the top of my head, but the same principle applies. If there's a viewer with a bug, then there is a possibility that it can be used to exploit the client. 

                                                BB

Roland Postle wrote:
GIFs can't exploit your system. Flash files can, just like any executable. 

This myth that static data files such as gifs, jpegs and zip files
/can't/ exploit your system really gets to me. Virus scanners continue
to scan only 'active' content, but some applications are in such
widespread use now that it's only a matter of time before a
vulnerability in say, Winzip's file handling, is exploited in a virus
that infects .zip files. Or a vulnerability in IE's jpeg module that
allows jpegs to carry viruses. It's not 'just like any executable', but
it's not automatically safe either.
Previous By Date Next
Previous By Thread Next

Current thread: