3

They are blocked by our email gateway, but are also needed for some workflows. Can these files even contain malicious content and possibly execute code?

Mia
  • 61
  • 2

2 Answers2

4

If a user provides a data file ‘D’ to be opened by a program ‘P’, it’s always possible, in principle, that the user could have carefully crafted ‘D’, to exploit a bug in ‘P’.

For example, the user might have found a bug in ‘P’, whereby if the first five bytes of ‘D’ are 0x01, 0x02, 0x03, 0x04 and 0x05, the rest of ‘D’ will be loaded into memory, as binary code, and executed with administrative privileges!

That’s a rather unlikely bug - but many bugs seem very unlikely in retrospect! I personally found a bug in a hospital system that ran perfectly for several years, but came to a screeching halt from a bug that only happened when a certain program was run on the first day of a leap year.

My point is, it’s virtually impossible to prove that a complex program is bug-free. And if that program opens a user-supplied data file, that could trigger a bug (accidentally, or deliberately). And bugs have who-knows-what effects; perhaps benign, perhaps not!

So there’s really only one safe answer to the question, “Can arbitrary user-supplied files be malicious?”: “Potentially, Yes”.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    An example of such a bug in Adobe Illustrator 2022 being patched in March 2022: https://helpx.adobe.com/uk/security/products/illustrator/apsb22-15.html – Brian Sep 07 '22 at 14:13
0

There is an important difference between executable files (e.g. .exe .bat) which are potentially harmful by design, and non-executable files, which are intended to be safe. While it is theoretically possible for a non-executable file to be harmful, due to vulnerabilities in software, this risk is handled by ensuring software is up-to-date with security patches, and accepting some level of risk.

Recent versions of Office have embraced this by having different file extensions for non-macro documents (.docx) and documents with macros (.docm).

In general, executable files cause a warning if you download them from the Internet and open them, and non-executable files do not. And filtering mail gateways generally block executable files.

Regarding Adobe Illustrator in particular, I am not familiar with this software, but a quick look reveals it supports scripting and that scripts can open files. That implies that .ai files are executable, so there is significant risk in opening them. (This is just from a quick read of online docs, not a thorough assessment)

There may be an option to "Open file with scripts disabled" although I couldn't see evidence of this. Without this, in practice, you are going to have to trust the third party you receive .ai files from. Perhaps you could use a secure drop box so that integrity in transit at least is assured.

In theory, you could run Illustrator in a VM, but that's probably impractical in your environment. Potentially you could have software to remove scripts from a .ai file, or at least, to check for them and warn of their presence. But, unless there is something off-the-shelf, this would require bespoke development.

paj28
  • 32,736
  • 8
  • 92
  • 130