Eloi Granado wrote:

> There was a nasty bug in Internet Explorer where a specially crafted image
> could cause a heap corruption and code execution:
> http://www.eeye.com/html/research/advisories/AD20021211.html

A related issue is this one:

http://lists.netsys.com/pipermail/full-disclosure/2004-
February/017364.html

http://www.securityfocus.com/bid/9663/info/

Although the "advisory" notes that this was fixed (silently) in IE 6.0
SP1, it seems the vulnerability is probably still present in other
versions/patch levels of IE. I have even seen spam (admittedly only
one!) exploiting this. The message contained an inline .BMP which
attempted to exploit this vuln to trigger an overflow to run a simple
downloader routine that snagged a further piece of malware from the web
and ran it... I have been told that the specific offsets in that .BMP
are probably specific to Russian Win2K SP0, so I guess it would not
have been terribly successful anyway.

> Other threat could come from embedding malicious code inside images (as in
> stenography), and execute it from an otherwise "benevolous" code in the
> html body... so it makes sense to scan EVERY mime part of a message.

Ummmm -- code in an HTML Email body designed to extract steg'ed code
from some other object or objects encoded into the message could hardly
be described as benevolent... Obviously, messages with such code are
somewhere between highly dubious and outright dangerous and use of
Email clients that can even allow such code to execute is a MAJOR
problem class unto itself and independent of issues such as "can images
be dangerous"...

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

[ reply ]