5

Historically, there were some exploits for certain types of image files, notably JPEG images. Consequently, many real-time malware scanners (antivirus included) started scanning every JPEG image (as well as some other types of image files) every time they are read or written.

Although there is undoubtedly some outdated software in the world that can be exploited using malformed image files, are there any current exploits that take advantage of weaknesses in image file processing? For answers, please assume the user is not using old or unpatched versions of software.

I'm interested in answers for all operating systems.

RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
  • @schroeder Good points/questions. Here is what instigated the question: A friend came to me complaining that their computer was running slow. I took a look at it, and their choice in antivirus was expending a considerable amount of processing power scanning every image file as it was read or written. This made image viewers and editors slow, as well as web pages that had numerous images. He asked if that reduction in performance was worth the possibly improved security. The first step in answering his question is determining if real-time scanning of image files is actually improving security. – RockPaperLz- Mask it or Casket Sep 03 '16 at 11:37
  • Does this count: https://www.cvedetails.com/cve/CVE-2016-4994/ or is this beyond your expected scope? – schroeder Sep 03 '16 at 21:04
  • @schroeder Good find, but I do think it may be beyond scope because I have not been able to find any real-time scanners that can identify that vulnerability or any that scan XCF files by default except when they are configured to scan *every* file. Granted, I didn't try every real-time scanner, so I welcome corrections. – RockPaperLz- Mask it or Casket Sep 04 '16 at 03:42
  • For an antivirus to protect your software from an exploit it must know about this exploit, and at that point, why wouldn't the software's developer know it and patch it ? – André Borie Nov 05 '16 at 14:15

1 Answers1

1

A real-time scanner can either:

  1. look for known vulnerability exploitation (signature based), or
  2. use heuristics to determine if the image is crafted to exploit unknown vulnerabilities

Number 2 seems like a stretch, so I'll skip over it.

Number 1 could be useful if you're running outdated software that wasn't patched for known vulnerabilities.

In reality, if you're not patching your software there's a limited amount of protection you can get from an antivirus/antimalware solution.

Once the vulnerable software is patched for the known vulnerability there's really no point in testing every single file for it. That's specially true if the trade-off is on usability.

Security at the expense of usability comes at the expense of security.

At the end of the day it boils down to what kind of protection you expect from the antivirus/antimalware.

An antivirus as a workaround for unpatched software sounds like a bad idea, akin to putting a padlock for an absent door.

GnP
  • 2,299
  • 1
  • 15
  • 25