Re: video/@src vs application/octet-stream

On Jul 19, 2010, at 1:31 PM, Leonard Rosenthol wrote:

> While I don't necessary want to start the "why sniffing is evil" discussion here, I have to challenge the basic premise below.
> 
>> media formats are, in general, unambiguously sniffable, 
>> and do not contain active content that would pose a security risk. 
>> 
> Sorry, but this is NOT the case!
> 
> There are a number of known attacks (not just POC's) that relying on format sniffing and specially constructed "hybrid" files that claim to be one (safe) thing but are really something else that is considered unsafe.  

Can you give a specific example of a "hybrid" video or audio file being used as an attack vector? I am not aware of any exploits like that. Knowing about them would be helpful information.

Thanks,
Maciej

Received on Monday, 19 July 2010 20:43:32 UTC