[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: C file recoginzed as image file
From: |
Chris Moore |
Subject: |
Re: C file recoginzed as image file |
Date: |
Tue, 09 Jan 2007 23:58:42 +0100 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.0.92 (gnu/linux) |
"Juanma Barranquero" <address@hidden> writes:
> Are you proposing also that we reject (or warn about) a .PNG file
> disguised as a .JPG, for example?
About a year ago, it became apparent that MS Windows would execute
arbitrary code when displaying a specially constructed .wmf file.
Microsoft were quite slow issuing a fix for this vulnerability. A lot
of companies blocked .wmf attachments on their firewalls in an attempt
to protect themselves.
As a result, the attackers simply renamed their dangerous .wmf files
to .jpg. This continued to work because Windows looks at the file's
contents, sees that it's not really a JPG image but a WMF image, and
displays it using the vulnerable code.
The vulnerability was relatively well known at the time, and people
who knew about it knew not to attempt to view WMF images using
Windows. What was more of a surprise was that .jpg and .gif files,
where double clicked could turn out to be WMF images in disguise.
I don't think we should make the same mistake that Windows makes of
silently ignoring the file extension. The default should be to warn
the user if the contents disagree with the extension, and people who
don't want this warning should be able to turn it off using the
customize interface.
- Re: C file recoginzed as image file, (continued)
- Re: C file recoginzed as image file, Lennart Borgman (gmail), 2007/01/09
- Re: C file recoginzed as image file, Stephen J. Turnbull, 2007/01/08
- Re: C file recoginzed as image file, Richard Stallman, 2007/01/09
- Re: C file recoginzed as image file, Stephen J. Turnbull, 2007/01/09
- Re: C file recoginzed as image file, Richard Stallman, 2007/01/10
- Re: C file recoginzed as image file, Stephen Leake, 2007/01/09
- Re: C file recoginzed as image file, Juanma Barranquero, 2007/01/09
- Re: C file recoginzed as image file, Vinicius Jose Latorre, 2007/01/09
- Re: C file recoginzed as image file, Juanma Barranquero, 2007/01/09
- Re: C file recoginzed as image file, Giorgos Keramidas, 2007/01/15
- Re: C file recoginzed as image file,
Chris Moore <=
- Re: C file recoginzed as image file, Juanma Barranquero, 2007/01/09
- Re: C file recoginzed as image file, Stephen Leake, 2007/01/09
- Re: C file recoginzed as image file, Richard Stallman, 2007/01/08
- Re: C file recoginzed as image file, Lennart Borgman (gmail), 2007/01/07
- Re: C file recoginzed as image file, Richard Stallman, 2007/01/05
- Re: C file recoginzed as image file, Stefan Monnier, 2007/01/05
- Re: C file recoginzed as image file, Chris Moore, 2007/01/06
- Re: C file recoginzed as image file, Richard Stallman, 2007/01/06
- Re: C file recoginzed as image file, Chris Moore, 2007/01/07
- Re: C file recoginzed as image file, Lennart Borgman (gmail), 2007/01/07