Re: Web based email issues

Discussion in 'Computer Security' started by mchiper, Sep 15, 2003.

  1. mchiper

    mchiper Guest

    In alt.computer.security, Msg ID: <>
    Jim Watt <>, wrote:

    >On Mon, 2 Dec 2002 19:31:39 -0000, "Shaolin Tiger"
    ><> wrote:
    >


    >>Most important of all..EDUCATE YOUR USERS

    >
    >sigh !
    >
    >Most of the machines do have av running, but some of them
    >are too old to support it and work.


    A simple question, I think. ( I don't run a server, per se.)
    The question derives from " have a/v running".

    The fundamental security exposure comes from running
    programs "unkowingly".

    Why would a program in an image file (like .JPG, etc..)
    ever have a chance to be executed?

    A partial answer comes from the array of things browsers
    can do.. Like execute programs.. :)
    Both Netscape and IE (the most commonly used browsers)
    Have built in image "decoders", I do believe.

    So....
    Doesn't that mean that merely browsing the Internet
    poses unavoidable security exposures..

    Further..
    IE is so tightly linked to windows OSs,
    And all windows OSs take over ownership of the hardware..
    How does one defeat an attack thru "their " OS ?


    Ray
    mchiper, Sep 15, 2003
    #1
    1. Advertising

  2. mchiper

    Leythos Guest

    In article <>,
    says...
    >
    > In alt.computer.security, Msg ID: <>
    > Jim Watt <>, wrote:
    >
    > >On Mon, 2 Dec 2002 19:31:39 -0000, "Shaolin Tiger"
    > ><> wrote:
    > >

    >
    > >>Most important of all..EDUCATE YOUR USERS

    > >
    > >sigh !
    > >
    > >Most of the machines do have av running, but some of them
    > >are too old to support it and work.

    >
    > A simple question, I think. ( I don't run a server, per se.)
    > The question derives from " have a/v running".
    >
    > The fundamental security exposure comes from running
    > programs "unkowingly".
    >
    > Why would a program in an image file (like .JPG, etc..)
    > ever have a chance to be executed?


    A file with JPG or GIF will not be executed on ANY OS, but there are
    helper applications that MAY launch if you click on one.

    >
    > A partial answer comes from the array of things browsers
    > can do.. Like execute programs.. :)
    > Both Netscape and IE (the most commonly used browsers)
    > Have built in image "decoders", I do believe.
    >
    > So....
    > Doesn't that mean that merely browsing the Internet
    > poses unavoidable security exposures..


    Yes, you are exposed to the level that you educate yourself.

    >
    > Further..
    > IE is so tightly linked to windows OSs,
    > And all windows OSs take over ownership of the hardware..
    > How does one defeat an attack thru "their " OS ?


    IE can be limited in what it allows - it's just that MOST sites want
    things that mean you need to enable things that open you to attempted
    hacking. In most cases you have to do something to get attacked.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 15, 2003
    #2
    1. Advertising

  3. mchiper

    Jim Watt Guest

    On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <> wrote:

    >Why would a program in an image file (like .JPG, etc..)
    >ever have a chance to be executed?


    Its not.

    >A partial answer comes from the array of things browsers
    >can do.. Like execute programs.. :)
    >Both Netscape and IE (the most commonly used browsers)
    >Have built in image "decoders", I do believe.
    >
    >So....
    >Doesn't that mean that merely browsing the Internet
    >poses unavoidable security exposures..


    Not from jpg files.

    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Sep 15, 2003
    #3
  4. In article <>,
    _way says...
    > On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <> wrote:
    >
    > >Why would a program in an image file (like .JPG, etc..)
    > >ever have a chance to be executed?

    >
    > Its not.
    >
    > >A partial answer comes from the array of things browsers
    > >can do.. Like execute programs.. :)
    > >Both Netscape and IE (the most commonly used browsers)
    > >Have built in image "decoders", I do believe.
    > >
    > >So....
    > >Doesn't that mean that merely browsing the Internet
    > >poses unavoidable security exposures..

    >
    > Not from jpg files.
    >


    http://www.geocrawler.com/archives/3/91/2000/7/50/4082223/
    http://www.securiteam.com/securitynews/5KP0O0K3FE.html

    /steve
    --
    No one gives you more control of your e-mail than we do!
    http://www.cotse.net/servicedetails.html
    E-Mail, Anon Proxies, Remailers, Usenet, Web Hosting, More.
    The Internet's Full Service Privacy Website, Your Shield From The
    Internet.
    Stephen K. Gielda, Sep 15, 2003
    #4
  5. mchiper

    Jim Watt Guest

    On Mon, 15 Sep 2003 15:23:05 -0400, Stephen K. Gielda
    <> wrote:

    >In article <>,
    >_way says...
    >> On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <> wrote:
    >>
    >> >Why would a program in an image file (like .JPG, etc..)
    >> >ever have a chance to be executed?

    >>
    >> Its not.
    >>
    >> >A partial answer comes from the array of things browsers
    >> >can do.. Like execute programs.. :)
    >> >Both Netscape and IE (the most commonly used browsers)
    >> >Have built in image "decoders", I do believe.
    >> >
    >> >So....
    >> >Doesn't that mean that merely browsing the Internet
    >> >poses unavoidable security exposures..

    >>
    >> Not from jpg files.
    >>

    >
    >http://www.geocrawler.com/archives/3/91/2000/7/50/4082223/
    >http://www.securiteam.com/securitynews/5KP0O0K3FE.html
    >
    >/steve

    I stand corrected, and am impressed at the gross stupidity of MS
    on that one, however they have fixed it.
    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Sep 15, 2003
    #5
  6. In article <>,
    says...

    > A file with JPG or GIF will not be executed on ANY OS, but there are
    > helper applications that MAY launch if you click on one.
    >


    I believe I would rethink the above or perhaps do a little more research
    before making such a broad statement.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Sep 15, 2003
    #6
  7. mchiper

    mchiper Guest

    In alt.computer.security, Msg ID: <>
    Colonel Flagg <>, wrote:

    >In article <>,
    > says...
    >
    >> A file with JPG or GIF will not be executed on ANY OS, but there are
    >> helper applications that MAY launch if you click on one.
    >>

    >
    >I believe I would rethink the above or perhaps do a little more research
    >before making such a broad statement.


    The thrust of the OP stands?
    >Doesn't that mean that merely browsing the Internet
    >poses unavoidable security exposures..


    Just the facts.. Not who said what to whom.. :)

    >? Not from jpg files.


    >?> http://www.geocrawler.com/archives/3/91/2000/7/50/4082223/
    >?>http://www.securiteam.com/securitynews/5KP0O0K3FE.html


    >? I stand corrected, and am impressed at the gross stupidity of MS
    >? on that one, however they have fixed it.


    Further..
    - Only ONE example of gross stupidity?
    - How about intentional gross neglect.
    - Deriving from the belief that it's THEIR OS not yours..
    - And selling access to YOU?, Who you are, and what you like, and do?
    - What software you use... need I go on?

    IE is so tightly linked to windows OSs,
    And all windows OSs take over ownership of the hardware..
    How does one defeat an attack thru "their " OS ?


    Ray
    mchiper, Sep 15, 2003
    #7
  8. mchiper

    Leythos Guest

    In article <>,
    says...
    > In article <>,
    > says...
    >
    > > A file with JPG or GIF will not be executed on ANY OS, but there are
    > > helper applications that MAY launch if you click on one.

    >
    > I believe I would rethink the above or perhaps do a little more research
    > before making such a broad statement.


    As a GIF and JPG are image files, are not executable files on any OS
    that I know of, please feel free to tell us how a GIF or JPG can be
    executed without the aid of a helper application.


    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 15, 2003
    #8
  9. In article <>,
    says...
    > In article <>,
    > says...
    > > In article <>,
    > > says...
    > >
    > > > A file with JPG or GIF will not be executed on ANY OS, but there are
    > > > helper applications that MAY launch if you click on one.

    > >
    > > I believe I would rethink the above or perhaps do a little more research
    > > before making such a broad statement.

    >
    > As a GIF and JPG are image files, are not executable files on any OS
    > that I know of, please feel free to tell us how a GIF or JPG can be
    > executed without the aid of a helper application.
    >
    >
    >


    "that I know of" is the key element.

    Your statement is very broad by saying "any" OS. The filename extension
    doesn't determine whether it's executable or not in *nix. just about
    _any_ file may be set executable in a unix-like system.

    I would suspect your statement is the result from a lack of experience
    in a unix-like environment. If you have access to a unix box where
    you're free to "test" things, simply:

    # touch filename.jpg
    # ls -al filename.jpg
    -rw-r--r-- 1 flagg 4077 0 Sep 15 19:41 filename.jpg

    notice the above -rw-r--r--

    read here for an explanation of unix file permissions:

    http://www.ctssn.com/linux/lesson6.html

    # chmod 700 filename.jpg
    # ls -al filename.jpg
    -rwx------ 1 flagg 4077 0 Sep 15 19:41 filename.jpg

    now notice the -rwx------

    whereas "x" == "executable". see above URL.

    Also, stating it isn't executable doesn't resolve the possibility of a
    ..jpg containing malicious code, I believe elsewhere in this thread,
    someone posted a link to bugtraq reports of jpgs and how browsers on
    Microsoft Operating Systems mishandling them. True, they need a third
    party product to mishandle the code, however, the jpg not being
    executable has nothing to do whether they can cause harm or not, simply
    opening the file in it's associated program *could* cause ill affects.

    ..jpg's and .gif's, once thought to be safe, haven't been for a number of
    years.





    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Sep 15, 2003
    #9
  10. mchiper

    Mimic Guest

    Colonel Flagg" <> wrote in
    message news:...
    > In article <>,
    > .jpg's and .gif's, once thought to be safe, haven't been for a number of
    > years.


    Im with the coloenl, i have an executable jpg on my xp box.

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
    Mimic, Sep 16, 2003
    #10
  11. mchiper

    Leythos Guest

    In article <>,
    says...
    > In article <>,
    > says...
    > > In article <>,
    > > says...
    > > > In article <>,
    > > > says...
    > > >
    > > > > A file with JPG or GIF will not be executed on ANY OS, but there are
    > > > > helper applications that MAY launch if you click on one.
    > > >
    > > > I believe I would rethink the above or perhaps do a little more research
    > > > before making such a broad statement.

    > >
    > > As a GIF and JPG are image files, are not executable files on any OS
    > > that I know of, please feel free to tell us how a GIF or JPG can be
    > > executed without the aid of a helper application.
    > >

    > "that I know of" is the key element.


    While I don't want to go down your path, I can assure you that I know
    about this, even more so that it appears you do.

    > Your statement is very broad by saying "any" OS. The filename extension
    > doesn't determine whether it's executable or not in *nix. just about
    > _any_ file may be set executable in a unix-like system.
    >
    > I would suspect your statement is the result from a lack of experience
    > in a unix-like environment. If you have access to a unix box where
    > you're free to "test" things, simply:

    [snip]

    I've use Unix since the 70's and never seen anyone stupid enough to set
    a GIF or JPG to executable on ANY platform, unless they were playing
    around and renamed an executable file and faking it as a JPG.

    So, it still stands, while browsing the internet, and fetching GIF and
    JPG images, you don't have to worry about them being executable code.
    Even in Unix you would have to explicitly set them to executable.

    Get off your lame horse.

    [snip]
    >
    > Also, stating it isn't executable doesn't resolve the possibility of a
    > .jpg containing malicious code, I believe elsewhere in this thread,
    > someone posted a link to bugtraq reports of jpgs and how browsers on
    > Microsoft Operating Systems mishandling them. True, they need a third
    > party product to mishandle the code, however, the jpg not being
    > executable has nothing to do whether they can cause harm or not, simply
    > opening the file in it's associated program *could* cause ill affects.


    Which is EXACTLY what I said - without a helper application they can't
    do anything. There is nothing in IE that executes JPG or GIF files.

    > .jpg's and .gif's, once thought to be safe, haven't been for a number of
    > years.


    JPG and GIF files are safe - unless you have some moron that is running
    a nix box and does a chmod and sets it to executable AND the image was
    really a renamed executable application AND NOT an image.


    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 16, 2003
    #11
  12. mchiper

    Leythos Guest

    In article <>,
    says...
    > Colonel Flagg" <> wrote in
    > message news:...
    > > In article <>,
    > > .jpg's and .gif's, once thought to be safe, haven't been for a number of
    > > years.

    >
    > Im with the coloenl, i have an executable jpg on my xp box.


    Unless it was a renamed exe/com/etc... it is not an executable JPG -
    they don't execute ANY code on the platforms. You could have something
    like somefile.jpg.exe, but that would not be an IMAGE would it.


    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 16, 2003
    #12
  13. In article <>,
    says...

    > I've use Unix since the 70's and never seen anyone stupid enough to set
    > a GIF or JPG to executable on ANY platform, unless they were playing
    > around and renamed an executable file and faking it as a JPG.
    >
    > So, it still stands, while browsing the internet, and fetching GIF and
    > JPG images, you don't have to worry about them being executable code.
    > Even in Unix you would have to explicitly set them to executable.
    >
    > Get off your lame horse.
    >



    Again, it's the fact that you covered it in such broad terms. "Any OS
    I've seen". You stated above you've been using Unix since the 70's,
    therefore, you should know it's possible to execute a jpg. Period.





    > [snip]
    > >
    > > Also, stating it isn't executable doesn't resolve the possibility of a
    > > .jpg containing malicious code, I believe elsewhere in this thread,
    > > someone posted a link to bugtraq reports of jpgs and how browsers on
    > > Microsoft Operating Systems mishandling them. True, they need a third
    > > party product to mishandle the code, however, the jpg not being
    > > executable has nothing to do whether they can cause harm or not, simply
    > > opening the file in it's associated program *could* cause ill affects.

    >
    > Which is EXACTLY what I said - without a helper application they can't
    > do anything. There is nothing in IE that executes JPG or GIF files.
    >



    "executes" would be the operative word here. No, the jpg doesn't
    TECHNICALLY get executed, HOWEVER, IE can mishandle the data within the
    jpg and cause ill affects. This is well documented on several security
    archive sites.

    From another post in this thread, since you evidently won't look at it
    from there:

    http://www.geocrawler.com/archives/3/91/2000/7/50/4082223/
    http://www.securiteam.com/securitynews/5KP0O0K3FE.html


    Some other reading, I hope this helps you further understand the issue:

    http://lists.jammed.com/vuln-dev/2002/09/0016.html

    http://zork.net/pipermail/crackmonkey/2001q1/016922.html

    http://www.securityfocus.com/bid/2612/discussion/


    > > .jpg's and .gif's, once thought to be safe, haven't been for a number of
    > > years.

    >
    > JPG and GIF files are safe - unless you have some moron that is running
    > a nix box and does a chmod and sets it to executable AND the image was
    > really a renamed executable application AND NOT an image.
    >


    "if's", "and nots", "unless".... damn, you sound like a security warning
    from Microsoft.

    The fact is, jpg's and gif's may conceal executable content. Period.

    >
    >



    And you're still incorrect. jpg's and gif's should not be covered in
    such broad statements, they're no longer considered completely safe.

    And before you go mixing words with me, stating I am "nit-picking", I'll
    go ahead and pat you on the head, saying "there, there" to the point:
    TRUE gifs and jpgs, with no malicious intent, are harmless... lol.

    I anxiously await your next feinting move.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Sep 16, 2003
    #13
  14. In article <>,
    says...
    > In article <>,
    > says...
    > > Colonel Flagg" <> wrote in
    > > message news:...
    > > > In article <>,
    > > > .jpg's and .gif's, once thought to be safe, haven't been for a number of
    > > > years.

    > >
    > > Im with the coloenl, i have an executable jpg on my xp box.

    >
    > Unless it was a renamed exe/com/etc... it is not an executable JPG -
    > they don't execute ANY code on the platforms. You could have something
    > like somefile.jpg.exe, but that would not be an IMAGE would it.
    >
    >
    >


    this is FUD.

    jpg's and gif's may contain malicious and executable code. it's "how
    they're handled" that matters.

    true, a jpg or gif cannot be executed on their own, of course, neither
    can an .exe, it needs an Operating System that understands it, in order
    to run. the fact that a jpg or gif needs yet another application to
    execute it's code is but another step to infecting yourself with a
    virus.

    no, i am not stating the sky-is-falling and that everyone *should* quite
    viewing jpg's and gif's, however, the blanket statement that jpg's and
    gif's are safe is crazy talk.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Sep 16, 2003
    #14
  15. mchiper

    Leythos Guest

    In article <>,
    says...
    [snip]
    > I anxiously await your next feinting move.


    My next move is to put you in my news readers bozo list and start
    ignoring you like I should have from the start.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 16, 2003
    #15
  16. mchiper

    Jim Watt Guest

    On Mon, 15 Sep 2003 22:11:11 +0200, Jim Watt <_way>
    wrote:

    >On Mon, 15 Sep 2003 15:23:05 -0400, Stephen K. Gielda
    ><> wrote:
    >
    >>In article <>,
    >>_way says...
    >>> On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <> wrote:
    >>>
    >>> >Why would a program in an image file (like .JPG, etc..)
    >>> >ever have a chance to be executed?
    >>>
    >>> Its not.
    >>>
    >>> >A partial answer comes from the array of things browsers
    >>> >can do.. Like execute programs.. :)
    >>> >Both Netscape and IE (the most commonly used browsers)
    >>> >Have built in image "decoders", I do believe.
    >>> >
    >>> >So....
    >>> >Doesn't that mean that merely browsing the Internet
    >>> >poses unavoidable security exposures..
    >>>
    >>> Not from jpg files.
    >>>

    >>
    >>http://www.geocrawler.com/archives/3/91/2000/7/50/4082223/
    >>http://www.securiteam.com/securitynews/5KP0O0K3FE.html
    >>
    >>/steve

    >I stand corrected, and am impressed at the gross stupidity of MS
    >on that one, however they have fixed it.


    Also thinking more about it, its only really an issue for someone
    using MS mail clients?
    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Sep 16, 2003
    #16
  17. mchiper

    Lohkee Guest

    "Colonel Flagg" <> wrote in
    message news:...
    > In article <>,
    > says...
    >
    > > I've use Unix since the 70's and never seen anyone stupid enough to set
    > > a GIF or JPG to executable on ANY platform, unless they were playing
    > > around and renamed an executable file and faking it as a JPG.
    > >
    > > So, it still stands, while browsing the internet, and fetching GIF and
    > > JPG images, you don't have to worry about them being executable code.
    > > Even in Unix you would have to explicitly set them to executable.
    > >
    > > Get off your lame horse.
    > >

    >
    >
    > Again, it's the fact that you covered it in such broad terms. "Any OS
    > I've seen". You stated above you've been using Unix since the 70's,
    > therefore, you should know it's possible to execute a jpg. Period.
    >
    >
    >
    >
    >
    > > [snip]
    > > >
    > > > Also, stating it isn't executable doesn't resolve the possibility of a
    > > > .jpg containing malicious code, I believe elsewhere in this thread,
    > > > someone posted a link to bugtraq reports of jpgs and how browsers on
    > > > Microsoft Operating Systems mishandling them. True, they need a third
    > > > party product to mishandle the code, however, the jpg not being
    > > > executable has nothing to do whether they can cause harm or not,

    simply
    > > > opening the file in it's associated program *could* cause ill affects.

    > >
    > > Which is EXACTLY what I said - without a helper application they can't
    > > do anything. There is nothing in IE that executes JPG or GIF files.
    > >

    >
    >
    > "executes" would be the operative word here. No, the jpg doesn't
    > TECHNICALLY get executed, HOWEVER, IE can mishandle the data within the
    > jpg and cause ill affects. This is well documented on several security
    > archive sites.
    >
    > From another post in this thread, since you evidently won't look at it
    > from there:
    >
    > http://www.geocrawler.com/archives/3/91/2000/7/50/4082223/
    > http://www.securiteam.com/securitynews/5KP0O0K3FE.html
    >
    >
    > Some other reading, I hope this helps you further understand the issue:
    >
    > http://lists.jammed.com/vuln-dev/2002/09/0016.html
    >
    > http://zork.net/pipermail/crackmonkey/2001q1/016922.html
    >
    > http://www.securityfocus.com/bid/2612/discussion/
    >
    >
    > > > .jpg's and .gif's, once thought to be safe, haven't been for a number

    of
    > > > years.

    > >
    > > JPG and GIF files are safe - unless you have some moron that is running
    > > a nix box and does a chmod and sets it to executable AND the image was
    > > really a renamed executable application AND NOT an image.
    > >

    >
    > "if's", "and nots", "unless".... damn, you sound like a security warning
    > from Microsoft.
    >
    > The fact is, jpg's and gif's may conceal executable content. Period.
    >
    > >
    > >

    >
    >
    > And you're still incorrect. jpg's and gif's should not be covered in
    > such broad statements, they're no longer considered completely safe.
    >
    > And before you go mixing words with me, stating I am "nit-picking", I'll
    > go ahead and pat you on the head, saying "there, there" to the point:
    > TRUE gifs and jpgs, with no malicious intent, are harmless... lol.
    >
    > I anxiously await your next feinting move.
    >
    >
    >
    >
    > --
    > Colonel Flagg
    > http://www.internetwarzone.org/
    >
    > Privacy at a click:
    > http://www.cotse.net
    >
    > Q: How many Bill Gates does it take to change a lightbulb?
    > A: None, he just defines Darkness? as the new industry standard..."
    >
    > "...I see stupid people."





    Hmmmmmm. Executable content in Jpeg. Buffer overflow in reader (or other
    handling application). Where is the problem?

    Lohkee!
    Lohkee, Sep 16, 2003
    #17
  18. mchiper

    Leythos Guest

    In article <4Kt9b.140578$0v4.10349691@bgtnsc04-
    news.ops.worldnet.att.net>, says...
    [snip]
    > Hmmmmmm. Executable content in Jpeg. Buffer overflow in reader (or other
    > handling application). Where is the problem?


    Show me an example of a buffer overflow caused by a large JPG file :)

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 16, 2003
    #18
  19. In article <>,
    _way says...
    > On Mon, 15 Sep 2003 22:11:11 +0200, Jim Watt <_way>
    > wrote:
    >
    > >On Mon, 15 Sep 2003 15:23:05 -0400, Stephen K. Gielda
    > ><> wrote:
    > >
    > >>In article <>,
    > >>_way says...
    > >>> On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <> wrote:
    > >>>
    > >>> >Why would a program in an image file (like .JPG, etc..)
    > >>> >ever have a chance to be executed?
    > >>>
    > >>> Its not.
    > >>>
    > >>> >A partial answer comes from the array of things browsers
    > >>> >can do.. Like execute programs.. :)
    > >>> >Both Netscape and IE (the most commonly used browsers)
    > >>> >Have built in image "decoders", I do believe.
    > >>> >
    > >>> >So....
    > >>> >Doesn't that mean that merely browsing the Internet
    > >>> >poses unavoidable security exposures..
    > >>>
    > >>> Not from jpg files.
    > >>>
    > >>
    > >>http://www.geocrawler.com/archives/3/91/2000/7/50/4082223/
    > >>http://www.securiteam.com/securitynews/5KP0O0K3FE.html
    > >>
    > >>/steve

    > >I stand corrected, and am impressed at the gross stupidity of MS
    > >on that one, however they have fixed it.

    >
    > Also thinking more about it, its only really an issue for someone
    > using MS mail clients?


    In the particular links above only for those specific clients and
    versions (an old netscape and old IE) and only in a particular
    circumstance. However, because I can take perl script (just a random
    example) on Unix and name it picture.jpg and set it execute then be able
    to run it means I wouldn't take things named .jpg at face value as being
    safe.

    For the most part pure jpg images are considered safe. However, one
    must be certain they are pure jpgs and you cannot do that just by
    looking at the extension. Nor in some cases can you do that by looking
    at the header (as illustrated by those old advisories). So that means I
    can't blanketly say that jpgs are always safe. But for the most part I
    assume them to be (if verified images)...at least until some other
    parser vulnerability appears. Nice solid answer, huh? :)

    /steve
    --
    No one gives you more control of your e-mail than we do!
    http://www.cotse.net/servicedetails.html
    E-Mail, Anon Proxies, Remailers, Usenet, Web Hosting, More.
    The Internet's Full Service Privacy Website, Your Shield From The
    Internet.
    Stephen K. Gielda, Sep 16, 2003
    #19
  20. In article <>,
    says...
    > In article <>,
    > says...
    > [snip]
    > > I anxiously await your next feinting move.

    >
    > My next move is to put you in my news readers bozo list and start
    > ignoring you like I should have from the start.
    >
    >


    of course you will. of course i'll be replying to your nonsense posts
    and you'll miss every word of it.

    I gave precise, logical and fully documented cases from reputable
    organizations to state my case, you gave nothing but your "word", a bit
    of inflammatory posting and much attitude (not mention blatant and
    uneducated FUD)

    please, explain to the good folks how much experience you have and what
    you've done in life that makes your statements "the word of God"....

    read the bottom line of my signature for enlightenment.

    oh wait, you've added me to your "bozo bin", so you'll never see this...

    *snicker*

    go ahead punk, reply. make my day.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Sep 16, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. geothermal

    Free Web Based Email List

    geothermal, Apr 12, 2004, in forum: Computer Support
    Replies:
    12
    Views:
    700
    Blinky the Shark
    Apr 25, 2004
  2. Alex Vinokur
    Replies:
    2
    Views:
    2,807
    Kath Adams
    Jun 18, 2004
  3. steve h.

    Web-based email security question

    steve h., Jun 30, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    382
    Plato
    Jul 1, 2004
  4. mchiper

    Re: Web based email issues

    mchiper, Sep 12, 2003, in forum: Computer Security
    Replies:
    12
    Views:
    648
    mchiper
    Sep 20, 2003
  5. mchiper

    Re: Web based email issues

    mchiper, Sep 15, 2003, in forum: Computer Security
    Replies:
    4
    Views:
    412
    Mimic
    Sep 25, 2003
Loading...

Share This Page