Risk of Internet Graphics

[Kathy Stevens]

We are concerned about the risk associated with copying images from the Internet and inserting them into MS Word and/or PowerPoint presentations.

A core component of our business is the development and distribution of reports and delivery of PowerPoint presentations that summarize our market analysis. While drafting documents/presentations we frequently grab an image/graphic from an Internet page and paste it into a draft document as a placeholder. Prior to release of any documents/presentation we either develop our own graphic as a replacement or gain permission from the owner for its use.

Our concern is downloading a virus or other malicious content when we capture an Internet graphic. We use Firefox as our primary browser and from Firefox we have the option to “copy the image”, “save the image as”, or “View the image”. We also have the option of using Microsoft’s Slip & Sketch tool. All of our computers are protected by Norton Security Online.

We would appreciate your thoughts as to the safest way to capture and use graphics from the Internet.

[PKCano]

If you do a screenshot, snip ‘n sketch, etc, you have not downloaded anything. You are making a copy of the graphics generated/displayed by your screen,

6 users thanked author for this post.

rexr, Kathy Stevens, doriel, GoneToPlaid, SueW, Microfix

[mn–]

PKCano wrote:

If you do a screenshot, snip ‘n sketch, etc, you have not downloaded anything. You are making a copy of the graphics generated/displayed by your screen,

Actually, just the opposite.

You by definition have to download something before you are able to generate a display representation of it.

Most of the theoretical danger is in the stage where you go and look at the image. After that, copy/paste is somewhat safer… but not completely.

Remember the WMF vulnerability from December 2005? That was exploitable on Windows NT, 2000, XP and Server 2003, on display of a specific kind of image on a website using IE… or in other ways. It could also run other malware.

Apple too had a “crash on display of image” vulnerability at least as late as 2016, might also have had a remote code execution one.

These tend to be patched in a hurry when found, but, well…

So yeah. If you’re really worried about security, you run the browser in a tight sandbox (possibly a full VM) with scanners set to extra paranoid… some organizations require that this be done on dedicated systems that don’t contain any of the sensitive data, and resulting files (including screengrabs) then be passed through more than one separate malware scanner before being included in any internal document processing.

1 user thanked author for this post.

Kathy Stevens

[anonymous]

… and resulting files (including screengrabs) then be passed through more than one separate malware scanner before being included in any internal document processing.

How could malware be included in a screenshot which copies pixels from the screen?

3 users thanked author for this post.

Kathy Stevens, Myst, GoneToPlaid

[mn–]

That part was from a very real policy at a certain local organization.

Might be a bit overly paranoid, but at least it ensures that users aren’t confusing things between clipboard (which can include all kinds of content) and direct screengrabs.

[GoneToPlaid]

It can’t.

[GoneToPlaid]

Replying to myself, and after thinking more about this, malware on a given web page can be targeted at the software for your computer’s graphics card. This is why it is very important to install updates for your computer’s graphic card(s) and also for your computer’s embedded graphics. Why the latter? Even if you are not using your computer’s embedded graphics, the drivers for the embedded graphics may be loaded and running on your computer.

[mn–]

The 2005 WMF one could even target your printer driver… when displayed from a web page. Apparently.

[doriel]

Picture can contain malware in the header.

Malwarebytes article

Screenshot of display cant, cause its generated from within the PC.

Suspicious pictures should be “oversized”. I mean 1024*768 picture is going to have 10+ MB size. This is the clue, that something is wrong. Taking screenshots with snip n scatch should be prefectly safe.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

1 user thanked author for this post.

Kathy Stevens

[Ascaris]

This is all true… downloading is any transfer from the network to the local machine, not just an action that results in the “save as” dialog appearing. I know a guy who was dead-set against having to “download” anything, since that’s dangerous, but he would happily use the same device that he would not “download” on to browse, and he also doesn’t mind the Apple iOS updates or storing and retrieving things in/from the “cloud,” as if that’s not just another internet-facing server out there somewhere.

Still, that’s the risk when browsing the web in general, and the question was about the risks involved with grabbing graphics from the internet for use in presentations, not in browsing the web.

If you grab a screenshot, you’re not downloading anything that was not already downloaded as a part of the usual browsing process.

You’re usually really not downloading anything additional if you right click a picture and select “Save Image” either, since doing that would just save the file that is currently in the browser cache to the location you’ve selected for it. It would be taking it out of the browser cache, though, and any sandboxing that is in effect within the browser would not apply to the file when it is accessed by another process.

Images are not meant to be executable, so if the image data is handled properly by the OS and the various applications that use the file, it won’t present any risk. That’s the problem, though… if there is a vulnerability in any process that accesses that file, and the file is crafted in such a way to trigger the vulnerability, it could do any number of things, depending on the exploit itself. There’s no way to know that there is not such a weakness in any given program we use, but you can’t act as if everything is like that without giving up using the internet at all.

Or, as my learned feline colleague hurried over to write on the topic just now:

032..[and 516 more periods]            Q@22@@@g

I think that says it all!

Group "L" (KDE Neon Linux, User Edition).

4 users thanked author for this post.

Kathy Stevens, zat_so, doriel, Myst

[Myst]

Ascaris wrote:

032..[and 516 more periods]            Q@22@@@g

My fur baby pounced on that post by your feline and took a screenshot. He knows how to follow instructions and stay safe on the Internet. 🐱

Win7 Home x64 MacOS Chromebook

1 user thanked author for this post.

SueW

[Microfix]

Reminds me of the old ‘double extension’:
eg: funny.jpg.exe will be displayed as funny.jpg
The way round this was to select folder options.
On the View tab, uncheck ‘Hide extensions for known file types’ so that the .exe part is revealed and can be identified as malicious and removed.
I’ve had ‘Hide extensions for known file types’ unchecked on all our devices for years.
It makes things a lot easier to identify.

Using the snipping tool or Snip and sketch online prevents this from landing on your device.

Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L

2 users thanked author for this post.

doriel, GoneToPlaid

[Rick Corbett]

All ‘browsers’ download content before displaying it… they don’t magically display anything without downloading it first into the browser’s own cache.

1 user thanked author for this post.

Kathy Stevens

[PKCano]

The browser downloads into the temporary Internet files/cache wherever it is (sandboxed or not).
This is unavoidable if you are going to use the Internet.
What’s in the browser’s temporary Internet files/cache should be deleted when the browser is closed.

But that is NOT what is in the screenshot. The screenshot is a recording of the screen display/pixels.
There is no malware in that picture.

4 users thanked author for this post.

Kathy Stevens, Microfix, Myst, GoneToPlaid

[mn–]

Ascaris wrote:

It would be taking it out of the browser cache, though, and any sandboxing that is in effect within the browser would not apply to the file when it is accessed by another process.

Well the old-fashioned kind of sandboxing does mean that it can only write within the sandbox, so if the box is defined appropriately this can be separate from the normal download directory.

Which is what I’ve seen in certain places. Also user’s normal processes were unable to read the sandbox’s downloads – there was a custom background tool that ran two or three different malware scanners on each file and those that passed, got moved to a normally accessible folder by the tool.

Also clipboard (copy/paste, etc) didn’t work in or out of the sandbox.

That was some years ago for me. Don’t know offhand if such a solution is available anywhere off the shelf nowadays.

Ascaris wrote:

Images are not meant to be executable, so if the image data is handled properly by the OS and the various applications that use the file, it won’t present any risk. That’s the problem, though… if there is a vulnerability in any process that accesses that file, and the file is crafted in such a way to trigger the vulnerability, it could do any number of things, depending on the exploit itself.

Exactly. And I understand the Microsoft WMF vulnerability and the Apple TIFF and OpenEXR vulnerabilities, and at least some of the various ImageMagick (typically on Linux) vulns have been improper handling of data within the image file.

At least one of the ImageMagick cases involved negative values (signed integer) where the file format specification only allowed zero or positive values.

PKCano wrote:

But that is NOT what is in the screenshot. The screenshot is a recording of the screen display/pixels.
There is no malware in that picture.

Yeah, that organization might have been a bit overly paranoid but at least it made for simpler instructions for users.

[Ascaris]

mn– wrote:

Well the old-fashioned kind of sandboxing does mean that it can only write within the sandbox, so if the box is defined appropriately this can be separate from the normal download directory.

Yes, there’s the “full” level of sandboxing external to the browser itself, much like a VM but with the host and the guest running the same OS, but there’s also the “sandboxed” browser tabs or other such things that are part of modern browsers. They are running at the user level, and are sandboxed with respect to being unable to interact (assuming everything is working properly) with other processes operating at the user level, including sites in other tabs/processes. Any process spawned by an exploit would be operating as child processes of the relevant browser processes, and would not be able to interact with the real filesystem or OS.

Clearly, though, this level of sandboxing does not completely cut off access to the broader filesystem, as “downloading” files to any place the user desires is possible. Since the context of the sandboxing is the browser process, anything that makes the file available outside of the browser process (or that goes into the browser cache directly to grab it) sidesteps the whole thing. It’s not a full sandbox in the context of the OS as a whole.

Group "L" (KDE Neon Linux, User Edition).

[GoneToPlaid]

Microfix wrote:

On the View tab, uncheck ‘Hide extensions for known file types’ so that the .exe part is revealed and can be identified as malicious and removed.

That doesn’t always work. The further solution is to reset all folders, and then to also disable automatic folder type detection in the Windows 7 registry.

[Vincenzo]

I would say you can decrease your risk by having your company buy a subscription to reliable service that supplies images. You’ll find the search is more refined and includes details to a greater degree.

ie you can search for an old man wearing a green hat eating a hot dog.

Here are a few:

Shutterstock I’ve used this one a lot

iStockphoto.com

Fotolia

Here are some free ones:
Pixabay
Unsplash

[Vincenzo]

(con’t) I think any of these would be safer than the wild west of the internet, since they have their business interests to protect, I expect they scan all their offerings for malware.

[Kathy Stevens]

Thanks all for your input.

My take way from the thread is that the greatest risk of virus/malware related to Internet Graphics is the download process itself not the graphic that appears on the screen. The exception being oversized graphics that may can contain malware in their headers.

When using snip ‘n sketch, etc., we are simply copying the pixels as displayed on the screen and pasting them into a document or saving them to a drive. Low risk of adverse results.

Also, when we right click on a picture and select “Save Image” we are just saving the file that is currently in the browser cache to the location on a drive that we have selected for it and it should be free of unwanted detritus.

And best practices suggest that the browser’s temporary Internet files/cache be deleted when the browser is closed.

It was also suggested that we can decrease our risk by acquiring images from organizations such as gettyimages.  In our case we prefer to deal with governmental agencies, trade associations, our industry partners, and news organizations such as Bloomberg and Reuters.

Then there is the whole discussion about sandboxes.

[Alex5723]

Kathy Stevens wrote:

Also, when we right click on a picture and select “Save Image” we are just saving the file that is currently in the browser cache to the location on a drive that we have selected for it and it should be free of unwanted detritus.

Wrong. The file/picture still may contain malware if your A/V software isn’t up to the task.

Image-Borne Malware: How Viewing an Image Can Infect a Device

2 users thanked author for this post.

doriel, Kathy Stevens

[Kathy Stevens]

The link   https://www.opswat.com/blog/image-borne-malware-how-viewing-image-can-infect-device takes me to and excellent article Image-Borne Malware: How Viewing an Image Can Infect a Device that is dated December 12, 2016.

The article indicates that, “But there’s more than one way to introduce malware. Image malware — malware that’s concealed within in-browser images — has become a potential threat vector as well.”

Are you aware of any advances that have been made to internet browsers or virus protection software that have mitigated this risk?

How frequently and when was the last time that you are aware of that a image delivered embedded malware to a Windows 10 system?

[mn–]

Kathy Stevens wrote:

My take way from the thread is that the greatest risk of virus/malware related to Internet Graphics is the download process itself not the graphic that appears on the screen. The exception being oversized graphics that may can contain malware in their headers.

… well, no.

Just downloading a file without doing anything else with it is quite safe. Being able to crash a computer with just a network datastream would be sort of a no-brainer bug in today’s networks.

But, decoding and parsing the file contents for display, reprocessing, generating preview mini-images, on-disk indexing (might run in the background continuously), whatever… theoretically even a malware scan can be hazardous.

Though that latter one is mostly just theoretical because scanner authors are supposed to know to look out for it – the actual issue being that potentially security-compromising errors or missed data validity checks may exist in the image decoding/parsing libraries.

Yes, there was a variant of the 2005 WMF fault that could infect computers with malware when the WMF file was indexed for searching with certain third-party search tools, as well as the display phase.

Also with complex image formats like WMF, TIFF, SVG, EPS, PS, DNG and some others … there is no conclusive way to determine what is “oversize” without thoroughly parsing the image data. Vector images can do arbitrary resolution and zoom, after all, and things like TIFF and DNG might contain several images in one file (Multipage TIFF, multi-exposure DNG) as well as more than one kind of color data (UV, IR, whatever in addition to visible light).

Even plain old JPG is a variable-compression format so images of the same pixel dimensions may have wildly different on-disk sizes.

Kathy Stevens wrote:

How frequently and when was the last time that you are aware of that a image delivered embedded malware to a Windows 10 system?

Successfully? Don’t know of it happening myself, the WMF one was before Windows 10. Attempted? I’m fairly sure that one thing I saw a bit of in 2018 tried that, but it was caught.

[doriel]

Question:

My latest thought is, whether is possible to diplay webpages without pictures? I think it could be done somehow in the browser setting. I found this out-of-date article, which supports my theory.

https://kb.iu.edu/d/acpv

But I cant find it in Chrome.

I managed to do it in Vivaldi, but I cant find it in chrome.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

• This reply was modified 3 weeks, 6 days ago by doriel. Reason: picture

Attachments:

You must be logged in to access attached files.

[mn–]

In Firefox it’s no longer in the “easy” settings. Have to go to about:config and tweak permissions.default.image (value of 2 would be don’t load images).

1 user thanked author for this post.

doriel

[anonymous]

If you plan on not viewing pictures on the web, why not just go to Lynx?

[Alex5723]

doriel wrote:

But I cant find it in Chrome.

I managed to do it in Vivaldi, but I cant find it in chrome.

Attachments:

You must be logged in to access attached files.

1 user thanked author for this post.

doriel

[doriel]

Now I will be perfectly safe, if no image is loaded 🙂

Thank your for chrome setup picture. I set this and it works as inteded.
Sadly, in Vivaldi, if I relaunch Vivaldi, settings remain. But the page reloads with pictures after relaunching the browser. Maybe I should post this as feedback to developpers.
I wont use this, I think I never get into problems with pictures, I surf mostly safe pages like this forum. But it is goog to know, that something like this exists and to know how to protect ourselfs against it.

Also not showing pictures on metered connection, for example via mobile hotspot, where every megabyte can be precious, someone could find this setting usefull.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

1 user thanked author for this post.

Alex5723

[Ascaris]

doriel wrote:

Now I will be perfectly safe, if no image is loaded 🙂

Well… no, not really.

Images are just one potential exploit, and as they go, not one of the more dangerous ones. Javascript is more of a threat than are images, and most sites won’t work without it. WebAssembly and service workers could potentially deliver exploits as well, though I don’t know whether or not those are implemented without Javascript in the first place.  Even plain text (as in a HTML file) could be a threat vector if there was some vulnerability in the browser or one of the libraries it uses that could be triggered in that way.

One of the thing security researchers do is dream up hypothetical ways that these things might be possible and looking to see if there is any way to do it, using all sorts of automated tools (like fuzzers), and they sometimes find them. The thing is, though, that the bad guys have the same tools available to discover the same weaknesses, and they won’t be reporting them to the software developers to be fixed. In time, these exploits that make it into the world without being discovered by the good guys (zero days) will eventually be discovered, but they could cause a lot of damage before that happens (and after, depending on how long it takes for a fix to be developed and for its targets to get patched).

If you go disabling things just in case there might be an unknown exploit lurking within, you’ll eventually end up just disconnecting from the internet. Any data that is transferred from outside of your PC is a potential threat vector, and the only perfect safety is to not turn the PC on at all. Even disconnecting from the internet isn’t 100% safe, as exploits to target airgapped systems have worked in the past (like Stuxnet).

Personally, if I didn’t loathe what Windows 10 is about, I would not have a problem using it for general browsing and such, even though it is a much bigger target as far as desktop PCs go. Linux gets target plenty in the realm of servers, as it is a target that is worth the time there, but on the desktop, well… 2% of users are using Linux, 10% on MacOS, and 88% Windows (and this is where nearly all of the less savvy PC users live too), and if all of the malware programs all take the same relative amount of effort to develop, which would you pick if you were the bad guy?

Still, I’d be fine using Windows even with that in mind, with images enabled (and Javascript too, though I also use uMatrix to limit the sites that can run scripts). There’s risk, and there are countermeasures you can take, but at some point there has to be a leap of faith, since it’s impossible to say that there’s no unknown security holes in any given software. Just be smart about things and your odds are pretty good… but not absolute.

Group "L" (KDE Neon Linux, User Edition).

3 users thanked author for this post.

doriel, OscarCP, Kathy Stevens

[OscarCP]

Following along Ascari’s line of though, I suspect pretty much any documents that include software in order to perform an action, such as directing the rendering of some kind of image on a monitor, can be vectors of malware. That means: PDFs, Office documents, Zipped documents … I am missing something here? Not a happy thought. If I am right, then the best way to take care of this kind of problem might be to sing: “Don’t worry, be happy!”

OK, well, one could also have the files one downloads scanned in real time for nasty things by a good antivirus that then gives an alert with the suggestion to either quarantine the evil thing, or get rid of it altogether. Not quite an infallible protection, because nothing is and such is life — in my opinion (hence the recommendation at the end of the previous paragraph).

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

[mn–]

OscarCP wrote:

I suspect pretty much any documents that include software in order to perform an action, such as directing the rendering of some kind of image on a monitor, can be vectors of malware. That means: PDFs, Office documents, Zipped documents … I am missing something here? Not a happy thought.

Well yes, theoretically we knew this already and MS Office macro malware is a known old thing. PDF exploits have been seen occasionally… PostScript used to have an on-purpose feature (yeah right, not particularly well thought out) where it could execute local code, sort of like WMF before the patches could call graphics and printer drivers directly.

And one of the other image processing faults included interpreting something from within the “dumb” image as a memory seek outside the actual image data. (Validation check would’ve been possible, but not implemented in graphics library before then.)

And then all the funny things that happened even with plain text with the transition to Unicode… old-fashioned bounds checking got funny when a single character could suddenly be a variable number of bytes long, and still might not actually contribute to text width…

OscarCP wrote:

OK, well, one could also have the files one downloads scanned in real time for nasty things by a good antivirus

That and a boundary between the downloading and checking process and the other parts. Like the more complete kind of sandbox.

• This reply was modified 3 weeks, 5 days ago by mn--. Reason: typo

[Kathy Stevens]

When you set your Internet browser to display webpages without pictures are the pictures downloaded to your computer and not displayed on the monitor or is there a firewall setup that blocks images from downloading to your computer altogether?

[Alex5723]

Pictures are filtered by the browser and are not download.
No firewall.. involved.

2 users thanked author for this post.

Charlie, Kathy Stevens

[mn–]

Kathy Stevens wrote:

or is there a firewall setup that blocks images from downloading to your computer altogether?

There was one of these once, long ago.

It only sort of worked if the web page was old-style http and not https … and even then only “sort of”.

And of course it also made navigating pages with image-based links rather difficult.

(The “don’t load images” feature could be overriden by individual image, IIRC right-click and “load this image”, so you could selectively load things until you find the right link button… unless someone was doing the silly thing and hiding the unloaded-image markers… haven’t tried that in a while myself.)

[Charlie]

Doesn’t UBlock Origin do that?  It’s not a firewall but blocks a ton of ads and their graphics.  This to me would seem to make web browsing a bit safer.

My memory is still good...but access time is way down.

[Kathy Stevens]

Bottom line.

It appears that the likelihood of being attacked by a virus or other malicious code contained in a graphic displayed in Firefox is no greater the the risk to a PC than that posed by a Windows 10 update installed on patch Tuesday, assuming the that the individual doing the browsing is reasonably responsible and avoids “high risk” web sites.

[Alex5723]

Kathy Stevens wrote:

It appears that the likelihood of being attacked by a virus or other malicious code contained in a graphic displayed in Firefox is no greater the the risk to a PC than that posed by a Windows 10 update installed on patch Tuesday

Wrong assumption. While there are viruses in pictures (and other files) in the wild, there are none, to our knowledge, in Microsoft’s monthly updates.
Firefox or any other browser don’t run an A/V check for malware of any type.

• This reply was modified 3 weeks, 5 days ago by Alex5723.
• This reply was modified 3 weeks, 5 days ago by Alex5723.
• This reply was modified 3 weeks, 5 days ago by Alex5723.

[OscarCP]

Alex: I’ll wildly guess Kathy Stevens means the patch is the virus. (Metaphorically, of course…)

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

1 user thanked author for this post.

Kathy Stevens

[Kathy Stevens]

That is correct.  Our concern is related to any activity that will cause a computer related problem.

As analysts, we are constantly looking at the probability that an event will happen.

If we copy a internet graphic from Firefox and paste it into a Word document what is the probability of being exposed to an attack.

Is the probability of an internet graphic related attack greater than a Windows 10 update causing a problem with a computers operating system or one of a computer’s drivers?

My scene from reading the thread is that an internet related graphic attack is a low probability event.

[mn–]

Kathy Stevens wrote:

My scene from reading the thread is that an internet related graphic attack is a low probability event.

This is entirely correct, particularly random graphic attacks.

These are still a subtype of threat to monitor. And if you don’t have any Apple things that use OpenEXR format images, well, you could’ve mostly just ignored the 2016 Apple OpenEXR image handling vulnerability… for example. (Just mind it enough to not pass any such on to others.)

If you’re a known attractive target though, the threat profile changes slightly – my understanding is that graphic-based attempts are a bit more likely in targeted attacks, in particular if the attacker can find out and target a specific application version that you specifically are using.

1 user thanked author for this post.

Kathy Stevens

[Author]

Posts