RE: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer]

From: Dom De Vitto (dom@DeVitto.com)
Date: 09/03/02 

From: "Dom De Vitto" <dom@DeVitto.com>
To: "'Roland Postle'" <mail@blazde.co.uk>, <vuln-dev@securityfocus.com>
Date: Mon, 2 Sep 2002 23:59:59 +0100

Right on.

And I thought about this attack vector back in, ooooh, '93 (!)
(back in the days when people said:
  "you *can't* catch a virus from just reading an email!"
 if they only knew what we know now.... :-( )

Yep, a datafile is just like interpreted pseudo code, no different
to a flash file. I do think that that attack vector had been
checked over to death, but then why does a particular .gif cause
such woes for IE, as discussed in another thread....?

Dom De Vitto

-----Original Message-----
From: Roland Postle [mailto:mail@blazde.co.uk]
Sent: Monday, September 02, 2002 6:54 PM
To: vuln-dev@securityfocus.com
Subject: GIFs Good, Flash Executable Bad [Was: Plain text files in
internet explorer]

> GIFs can't exploit your
> system. Flash files can, just like any executable.

This myth that static data files such as gifs, jpegs and zip files
/can't/ exploit your system really gets to me. Virus scanners continue
to scan only 'active' content, but some applications are in such
widespread use now that it's only a matter of time before a
vulnerability in say, Winzip's file handling, is exploited in a virus
that infects .zip files. Or a vulnerability in IE's jpeg module that
allows jpegs to carry viruses. It's not 'just like any executable', but
it's not automatically safe either.

- Blazde