Hi,
it is possible to open links from several types of media formats
including images, although this is the first case someone mentions it
on a security list I believe. This type of issue was found in PDF,
RealMedia, QuickTime, and QuckTime Media Link. It is good to note that
QuickTime MediaLink can imitate any other media format as long as the
QuickTime player is supports the file type and the format itself. The
GIF header issue, on the other hand allows JavaScript code to execute
when an effected image is opened in the browser.
I am almost sure that a special type of preview handler is installed
inside the Windows, you will get these links execute automatically
from the desktop. Why?
Well, you know how today everything is object and all parts of the
operating system are components. So, Instead of reinventing the wheel
developers will use the appropriate video component to grab the first
frame only, resize it, and display it to the user as a thumbnail. This
is very good but some formats will execute the link right a way which
means that as soon as explorer displays the image, u get a link as
well.
Here are some references to various types of articles on this subject:
http://www.gnucitizen.org/blog/backdooring-mp3-files
http://www.gnucitizen.org/blog/backdooring-quicktime-movies
http://www.gnucitizen.org/blog/backdooring-flash-objects-receipt
http://www.gnucitizen.org/blog/backdooring-flash-objects
http://www.gnucitizen.org/blog/backdooring-web-pages
http://michaeldaw.org/md-hacks/backdooring-pdf-files/
http://www.virusbtn.com/news/virus_news/2006/11_17a.xml
I hope this helps, Can you send us some of the files for analysis.
On 20 Nov 2006 17:26:22 -0000, mr.nasty@ix.netcom.com
<mr.nasty@ix.netcom.com> wrote:
I know this is a dumb question and I probably should know the answer or it's
something so obvious I just can't see it.
I've seen image files and movie (mpg, etc) files that when opened will open a
web browser to a specific web site.
Two questions.
1) when you encounter a file like this how can you tell or how can you remove
the link from opening a web browser?
2) how is this done.
I've tried searching google and security focus but get a lot of php type of
results here and html tag explanation from google. I don't think this is a tag
so much as it is something in the way the file is saved or configured.
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
