4

So, today an user sent me an e-mail about a suspicious e-mail. When I opened it to check it, I accidentaly hovered the mouse over the "doc.jpg" and it opened the image thumbnail. I never bothered to check the thumbnails, so I never stop to think about it, but would someone be able to execute malicious code in my computer if I checked the thumbnail?

welp

EDIT: As requested, we're using Google Chrome 43.0.2357.134 and Zimbra 8.0(yep, kinda dated, but unfortunately, we can't do anything about it).

HDD
  • 43
  • 6

4 Answers4

4

Maybe. In theory it might be that the (unknown) mail client you use already extracts information from the attachment when you simply hover over it. And the practice might not be that far away from this theory: There were several bugs in the past where the preview feature for mails could be used to execute malware, see Can malware be activated by previewing email in Outlook's Preview pane? or BadWinmail: the really bad Outlook flaw. There were also code execution in the past triggered by simply hovering over a file in explorer.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
3

By default there is no such functionality that could be exploited itself. What is possible and mostly done with attached PDF's but also possible with other file formats is to exploit vulnerablities in the viewer software. This is the only way to compromize a system through a non executeable file. But also in that case the success of the attack relies on the viewer that is used which lowers the success rate because the exploit will only apply to one or a range of software.

So there is a possible attack vector but in my experience the attack surface increases with the complexity of a file format and in comparison to PDF image files are relatively trivial.

To sum it up: it's unlikely but not impossible to exploit a software by providing a manipulated image.

davidb
  • 4,285
  • 3
  • 19
  • 31
0

No because there exist a shortest path (of attack) and a dead end.

The thumbnail image is computed by your client E-mail reader from the original attachment. Hence an eventual attack code will have to go through this image filter. There are 2 possibilities at this level:

  • this filter contains flaws permitting an attack,
  • this filter was correctly coded ( :) ).

Within the 1st case, an attackant will try to use this flaw to attack this filter, and the bad will be inside once the thumbnail is computed. None of your action will change anything about this fact. The protection has to be done before by filtering E-mail.

Within the 2nd case, the attackant is out of luck, and will have to try another entry path.

dan
  • 3,033
  • 14
  • 34
  • 2
    And why should the thumbnail be computed prior to the hover? – marstato Jan 18 '16 at 18:44
  • 3
    The thumbnail isn't necessarily computed (from the original image). It could be embedded in the EXIF data (particularly with JPEG files) and used directly without any processing. Although whether the email client uses this is another matter and it might still require further computation (just as the original image would). For example, Windows explorer uses this embedded thumbnail when available. – MrWhite Jan 18 '16 at 19:21
  • But still, the hovering triggers the potentially vulnerable IO. So why is the answer no then? – marstato Jan 18 '16 at 20:48
  • I advise you to develop an answer explaining in which part of code of which E-mail client the hovering over a thumbnail could fire a bug which would be specific to the thumbnail image.---- I am not aware of such a possibility. – dan Jan 19 '16 at 08:10
  • @marstato, because for any attackant there is an easier path of attack in this case. It would be completly masochistic for an attackant to wait for an event which would depend on a much more tortured building. – dan Jan 19 '16 at 08:19
  • @w3d, by "image filter", I was talking of the code which is opening the original image to end by the computed display within the interface of the E-mail client. This is highly dependant of the format used, which libraries are available at the client or the OS level. This was a generic name not the name of a format or a product. – dan Jan 19 '16 at 08:23
  • @danielAzuelos The E-Mail client receives the email with correct multipart encoding. When hovering the attachment, it reads the file sent along to display the thumgnail. This is where the attack can occur. Prior to hovering the image there is no need to read the image data. The hover triggers the first interaction with the image. I agree that attacking the decoder when the image is opened in a viewer is easier. – marstato Jan 19 '16 at 12:26
-4

The Government, FBI specifically if I recall correctly, (therefore also the NSA and CIA) openly uses software that can do this, at least on certain systems. If I recall correctly, they can infect you without even hovering or opening, just sending the attachment. This has been known for years, if you want a source, you will have to do some googling yourself.

But on average this is not at all likely, and not worth the effort unless you are a high profile target or something, due to the fact that this is considered a valuable 0-day vulnerability, the more it is used, the sooner it will be noticed and patched. If you could do this, you could sell it to corporations for $100k +, depending on which systems it works on. So a hacker would not use it loosely.

ROCK
  • 96
  • 6
  • 4
    "This has been known for years, if you want a source, you will have to do some googling yourself" part of posting an answer is backing up your claims. – Buffalo5ix Jan 18 '16 at 19:17
  • 1
    @Globlee As a developer myself, I highly doubt this to be true. Common knowledge is out of the question. Although I know vulnerabilities have been found in the way certain image file have been read, in certain implementations, affecting certain software, in order to take you seriously you're going to need to source your statements. – Jonathan Gray Jan 19 '16 at 03:55
  • Globlee - this isn't a useful answer, as the first paragraph has no evidence, or in fact any convincing statement of truth, and the second paragraph is just plain wrong. Have a look at other posts here and have a read of [answer] to get a better idea of what we need in answer posts. – Rory Alsop Jan 22 '16 at 09:39