W3C home > Mailing lists > Public > public-html@w3.org > July 2010

Re: video/@src vs application/octet-stream

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 19 Jul 2010 13:46:03 -0700
Cc: Leonard Rosenthol <lrosenth@adobe.com>, "julian.reschke@gmx.de" <julian.reschke@gmx.de>, Boris Zbarsky <bzbarsky@MIT.EDU>, "public-html@w3.org" <public-html@w3.org>
Message-id: <AC9ED72B-BBEA-4D84-909B-42278CD777BD@apple.com>
To: Maciej Stachowiak <mjs@apple.com>

On Jul 19, 2010, at 1:42 PM, Maciej Stachowiak wrote:

> 
> On Jul 19, 2010, at 1:31 PM, Leonard Rosenthol wrote:
> 
>> While I don't necessary want to start the "why sniffing is evil" discussion here, I have to challenge the basic premise below.
>> 
>>> media formats are, in general, unambiguously sniffable, 
>>> and do not contain active content that would pose a security risk. 
>>> 
>> Sorry, but this is NOT the case!
>> 
>> There are a number of known attacks (not just POC's) that relying on format sniffing and specially constructed "hybrid" files that claim to be one (safe) thing but are really something else that is considered unsafe.  
> 
> Can you give a specific example of a "hybrid" video or audio file being used as an attack vector? I am not aware of any exploits like that. Knowing about them would be helpful information.

I should clarify, I do know of exploits due to hybrid resources in general, just not any where the attack depends on getting sniffed as a video or audio file by the <video> element. While sniffing can create security problems, the security considerations are highly context-dependent.

Regards,
Maciej
Received on Monday, 19 July 2010 20:46:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:18 UTC