FromTheRafters wrote:
> Bast brought next idea :
>>
>> FromTheRafters wrote:
>>> Bast expressed precisely :
>>>>
>>>> FromTheRafters wrote:
>>>>> Bast submitted this idea :
>>>>>>
>>>>>> Virus Guy wrote:
>>>>>>> "David H. Lipman" wrote:
>>>>>>>
>>>>>>>>>> It it even possible that when launched from a media-player
>>>>>>>>>> (such as VLC) that there exists a class of avi, mp3, flac
>>>>>>>>>> (etc) malware that can leverage a player vulnerability and
>>>>>>>>>> cause it to run arbitrary code?
>>>>>>>>>
>>>>>>>>> Yes.
>>>>>>>>>
>>>>>>>>> Some specific players could be tricked into visiting a
>>>>>>>>> maliciously formed website embedded in the id3tags.
>>>>>>>
>>>>>>>>> The Wimad trojan
>>>>>>>
>>>>>>> So basically these boil down to browser exploits. A URL launched
>>>>>>> from Windoze Media Player is still a browser exploit.
>>>>>>>
>>>>>>> And they're not even exploits - they depend on user action in the
>>>>>>> browser to allow what-ever operation they're trying to accomplish
>>>>>>> (ie - social engineering).
>>>>>>>
>>>>>>> What I'm asking about is a media file that upon playing can cause
>>>>>>> any media player to run arbitrary code WITHOUT NEEDING THE USER'S
>>>>>>> HELP, and thereby cause the user's system to download secondary
>>>>>>> payloads,
>>>>>>> change registry settings, etc. All without enlisting the system's
>>>>>>> web-browser. Has there ever been a media file (mp3, avi, flac,
>>>>>>> etc) that could
>>>>>>> accomplish that?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Nope, not if a user has file types set.
>>>>>>
>>>>>> An exploit in widows can allow renaming a file extension from say
>>>>>> .exe to .mov
>>>>>> Or naming it with no extension at all.
>>>>>> And windows was stupid enough to recognize it as an .exe despite
>>>>>> the extension, and run it as such.
>>>>>
>>>>> Er, what is stupid is relying on the extension to mean anything.
>>>>> Now, it is usually the actual format of the file that tells the OS
>>>>> what it really is and how it should be handled.
>>>>>>
>>>>>> But that is almost impossible now, unless users manually allow
>>>>>> that.
>>>>>
>>>>> Don't trust names to have any meaning, that goes for extensions too.
>>>>
>>>>
>>>>
>>>>
>>>> The whole point is if you set your system to specific applications
>>>> for certain extensions,.....you can't run into too many problems if
>>>> say a file with .mov or .avi, that is really a malware type .exe,....
>>>> automatically is opened by a video player, all it will do is choke
>>>> and throw an error without doing any damage.
>>>>
>>>> Let windows decide on it's own how to run it and you are begging for
>>>> problems
>>>
>>> Right, but when you download a file you are not actually downloading a
>>> file,
>>
>>
>> Whaaaaa ??????
>> You download a file, PERIOD.
>
> Okay.
>>
>> you are downloading content from a remote file into a new local
>>> file that may or may not even have the same naming convention. If
>>> decisions were made as to what icon to present in the GUI or what
>>> application to associate the file with are made with respect to the
>>> content rather than the filename there would be less chance for
>>> confusion. A exefile named benign.jpg would still be associated with
>>> the loader chain and have an icon showing it as an executable.
>>>
>>> Custom icons could still be used, but as with the little arrow that
>>> Windows uses for shortcut icons - there could be a little star or
>>> border or something to show it as an executable. That way, if an exe
>>> had an icon like notepad and an extension of .txt it would *still*
>>> show the user that it is an executable and it would still be loadable
>>> because the OS uses the content rather than the name to make its
>>> decisions about loading an executable image.
>>
>>
>>
>>
>> FILE ICONS are created and placed by your own system, they are not
>> downloaded with files.
>
> Some are, some aren't.



I am pointing out that if you simply download a file of data, you don't get
a file icon with it.
Unless you download a .zip and it's in there.

However you can download ICON FILES as prepared graphics (.ico) , but then
you have to manually assign them to a file type

But in the context of this thread you have virtually no chance of
downloading an .Mp3 or .avi and having an icon come in with it.






>
>> Website icons are downloaded only when you view a webpage but are only
>> saved and read by a browser.
>
> Okay.