Re: [Full-Disclosure] 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS

From: Anders Langworthy (hades_at_psilanthropy.org)
Date: 01/24/05

  • Next message: 3APA3A: "[Full-Disclosure] SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow" 
    Date: Mon, 24 Jan 2005 14:17:55 -0600
To: Paul Kurczaba <seclists@securinews.com>

    Paul Kurczaba wrote:
    > Wouldn't the phone try to open the jpg file as a picture, and not execute
    > it. Just like on desktop PCs: if you rename a .exe (application/program) to
    > a jpg (picture file), and try to open the file, your image program will open
    > the file, thinking it is a image file. The application code will not be
    > executed.

    Ideally, yes. But as demonstrated by the Microsoft GDI exploit, just
    because a file is not executed proper doesn't necessarily mean it's safe
    from problems in the underlying application.

    I'd still say that this isn't really a problem directly (after all, it's
    considered "safe" to view a webpage with images that are loaded without
    prompting), but the fact that attachments are automagically loaded does
    provide a spectacular way to automatically infect a large amount of
    phones if somebody were to come up with a way to payload an attachment.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: 3APA3A: "[Full-Disclosure] SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow"

    Relevant Pages