Right on.
And I thought about this attack vector back in, ooooh, '93 (!)
(back in the days when people said:
"you *can't* catch a virus from just reading an email!"
if they only knew what we know now.... :-( )
Yep, a datafile is just like interpreted pseudo code, no different
to a flash file. I do think that that attack vector had been
checked over to death, but then why does a particular .gif cause
such woes for IE, as discussed in another thread....?
Dom De Vitto
-----Original Message-----
From: Roland Postle [mailto:mail_at_blazde.co.uk]
Sent: Monday, September 02, 2002 6:54 PM
To: vuln-dev_at_securityfocus.com
Subject: GIFs Good, Flash Executable Bad [Was: Plain text files in
internet explorer]
> GIFs can't exploit your
> system. Flash files can, just like any executable.
This myth that static data files such as gifs, jpegs and zip files
/can't/ exploit your system really gets to me. Virus scanners continue
to scan only 'active' content, but some applications are in such
widespread use now that it's only a matter of time before a
vulnerability in say, Winzip's file handling, is exploited in a virus
that infects .zip files. Or a vulnerability in IE's jpeg module that
allows jpegs to carry viruses. It's not 'just like any executable', but
it's not automatically safe either.
- Blazde
Received on Sep 03 2002
Intro
