[clamav-users] scanning mp3-files with clamscan
Paul Kosinski
clamav-users at iment.com
Tue Jul 18 17:21:15 UTC 2017
"...the worst thing that might happen would involve crashing the
player..."
No, the worst thing that might happen is that a buffer overflow results
in code execution in the player's security context. With deliberate
malicious code added to the MP3 data stream, this could even lead to
encrypting the user's files for ransom.
This sort of buffer overflow execution flaw has surfaced in other
situations where "mere" passive data has led to security problems due
to buggy processing, and is often being patched in various application
programs.
Of course, executable files (incl. less obvious ones like PDFs) pose a
worse threat, but why single out MP3 among passive data formats? They
are not the only big "passive" files -- TIFs can be really big these
days, and various video formats even bigger (H.264, MPEG-2 etc.).
On Mon, 17 Jul 2017 23:21:13 -0700
Al Varnell <alvarnell at mac.com> wrote:
> True MP3 files contain sounds that a media player plays. Anything
> executable can't be handled by the player and the worst thing that
> might happen would involve crashing the player, if that's even
> possible.
>
> Most, if not all scanners ignore such files. They take a long time to
> scan with a high probability of zero results. The only example I can
> locate that comes close to maliciousness would is one that contacts
> an Internet site capable of downloading actual malware. Such a site
> would not last long and the actual malware will likely be found
> before the download completes.
>
> Feel free to locate or better yet submit a sample of anything else
> and you stand a chance of convincing someone that it would be worthy
> of changing the policy.
>
> Sent from Janet's iPad
>
> -Al-
More information about the clamav-users
mailing list