3

In the past I know there where ActiveX that could be installed as wallpaper and I see that this may be a risk.

  • Is there any risk allowing this on Windows 10?
  • Is there any kind of wallpaper that may damage user data or the system?
  • Is there a security reason to block changing Windows 10 wallpaper using a GPO?
Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
  • 2
    There have been known vulnerabilities in several image types in the past, that might be an issue if you allowed them to use an image they saved or uploaded. – Julian Knight Oct 07 '16 at 13:09
  • 3
    Not a security issue, but a wallpaper made from a screenshot might fool users in thinking that there is a specific icon on the desktop or that the AV is running. It's a common prank to take a screenshot of the desktop, add it as a wallpaper and then remove icons from the desktop. – A. Hersean Nov 28 '16 at 14:49

3 Answers3

1

Purely from a risk perspective:

The risk posed by an image file containing a payload of malicious code is not changed by the fact that you allow users to change their desktop wallpaper.

I mean, if it's got a nasty bit of code in it, then opening the file in paint or even generating the thumbnail view in explorer would execute the code too.

At worst you may be increasing the likelihood, because your users might be allowed to grab wallpapers from the web and use them.

Frank Jackson
  • 27
  • 3
0

  • The risk is very small, but exists.

  • Yes, the .png format can be exploited and such a specially crafted file can damage data on your system. As example see the very recent CVE-2019-1986,7,8 and what happened to Android.

  • Various types of malicious content can be embedded in various image formats and executed under specific circumstances, but overall the security risk is low if you consider normal use of a PC.

Overmind
  • 8,779
  • 3
  • 19
  • 28
-6

Changing the wallpaper will not harm anything if the wallpaper is just a static image. However, if the wallpaper is something like an animated wallpaper or interactive wallpaper, malicious code can be run or the computer's resources can be exhausted through overuse.

ComputersAreCool
  • 23
  • 5
  • 3
    An interactive wallpaper is not something Windows supports as a standard and would likely be just a third-party executable file, which wouldn't be affected by the wallpaper-related GPOs anyway. – André Borie Nov 28 '16 at 00:08
  • @AndréBorie (+1) Good point, but it's useful to know about third-party functions as well. – ComputersAreCool Dec 01 '16 at 03:24