| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Jan 2005 14:17:55 -0600
From: Anders Langworthy <hades@...lanthropy.org>
To: Paul Kurczaba <seclists@...urinews.com>
Cc: rohit@...tikalsolutions.com, bugtraq@...urityfocus.com,
full-disclosure@...ts.netsys.com
Subject: Re: 2 vulnerabilities combine to auto
execute received files in Nokia series 60 OS
Paul Kurczaba wrote:
> Wouldn't the phone try to open the jpg file as a picture, and not execute
> it. Just like on desktop PCs: if you rename a .exe (application/program) to
> a jpg (picture file), and try to open the file, your image program will open
> the file, thinking it is a image file. The application code will not be
> executed.
Ideally, yes. But as demonstrated by the Microsoft GDI exploit, just
because a file is not executed proper doesn't necessarily mean it's safe
from problems in the underlying application.
I'd still say that this isn't really a problem directly (after all, it's
considered "safe" to view a webpage with images that are loaded without
prompting), but the fact that attachments are automagically loaded does
provide a spectacular way to automatically infect a large amount of
phones if somebody were to come up with a way to payload an attachment.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists