* H C (keydet89yahoo.com) [020109 11:51]:
>
> Also keep in mind that:
> (a) applications that only *read* the file contents,
> such as graphics and multimedia viewers, don't usually
> execute any arbitrary data they find in, or associated
> with, the file.
>

I was thinking of the recent Windows Media player vulnerability
where an executable was given the correct MIME type to call
Windows Media player so it could be exploited. If this
is possible on an NTFS partition where an application is
associated with IE and IE had an exploitable vulnerability,
it is theoretically not impossible.

An application that reads data from a file must also
be able to act upon that data. If the data includes encoding
that can exploit a weakness, just "reading" data doesn't help.

Thanks,
JJ

-- 
J. J. Horner
"H*","6a686f726e657240326a6e6574776f726b732e636f6d"
***************************************************
"H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
Freedom is an all-or-nothing proposition:  either we 
are completely free, or we are subjects of a
tyrannical system.  If we lose one freedom in a
thousand, we become completely subjugated.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjw8eqIACgkQr4aOZjXrmD62FACdHGyxmLJORWkqSJqFu4Fu7PeR 8dwAoMByvbDbfDYOcTVRtOzvM0kYXMlQ =BBak -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]