next »

[Mipe]

This thread triggers an alert from Avast AV, apparently one of avatars of users there contains some malicious code or something. Just a heads up. Could be nothing, but better safe than sorry.

Does this mean that remotely hosted forum avatars aren't that safe anymore?

Edit: It is dustin's avatar.

[Paul Eres]

usually it's just a warning for particular domain names which are black-listed, usually nothing to worry about. i know that willhostforfood was blacklisted once, maybe he uses that as a host?

[Kekskiller]

WHFF isn't blacklisted anymore.

[PaleFox]

Yes, that has happened to me as well with SiteAdvisor: certain sites, since they are hosting sites, get blacklisted for one or two people using it for malware and the like, while others can be completely innocent yet their site is also flagged as red (dangerous). When it involves situations like that, it is best to take with a grain of salt.

[Paul Eres]

in any case i think it's impossible to put a virus *inside* an avatar image file, that'd make no sense

[Montoli]

Actually, I don't think it still exists, but there have been bugs in both jpg and bmp parsing routines in popular software, making them vulnerable to buffer overrun attacks.  I think at least one virus made use of this, a couple of years back.  (It spread by being an image that, when viewed through a common program [internet explorer, I think] would trigger a buffer overrun to execute code.]

I think these vulnerabilities have been patched for several years, but just say'n.  People are clever.  It's not as impossible as you might think. :D

[deadeye]

in any case i think it's impossible to put a virus *inside* an avatar image file, that'd make no sense

I disagree.

No, really... you can do that.

[Paul Eres]

hm, that seems to rely on extra buffers to store code -- so it's possible i guess. but the last time it happened was 2004? also i'd imagine the filesize limit on forums for avatars would also discourage that method, since large buffers to store code might cause it to go over the small filesize limits many forums have, leading them to target sites like flickr and deviantart instead of forum avatars

[Montoli]

Never said it was likely.    As you say, those particular exploits are 5 years old.  Just saying "It's possible."  Buffer overruns can happen in all sorts of funny places.  Heck, sometimes it doesn't even require a terribly large buffer.  A malformed header can cause all sorts of trouble on its own.

Anyway, again.  Probably not likely.  But as a friendly reminder - Just because image elements are normally passive data doesn't mean you can automatically trust them not to be a threat and bite you. 

[Mipe]

[Paul Eres]

wasn't avast that program that gave false positives and thought every single mmf game had a virus, and deleted it without telling the user, and people lost all their hard work and their mmf game collections? or was it avg? one of those. anyway, just because it detects something doesn't mean it's there, i get tons of false positives. likely one here too (especially since it's a .gif)

[Shade Jackrabbit]

@Paul: I know AVG did that, except it asked you ahead of time. I wouldn't be surprised if they did though. Both MMF and Construct have memory holes in their programming, which is a security risk and why DEP prevents them from running properly. (Hence why I had to turn it off). AVG at one point managed to find a way in through one of those and assumes MMF was a trojan. At least, that's how I remember it happening. It was in February or something.