SVG concerns...
Posted: 27 Jun 2016, 13:04
Recently a security concern was brought to my attention
about the merit of Scalable Vector Graphics (SVG) format
use in an OS either @ boot or as a Material Design GUI desktop element.
Since I have a keen interest in using SVG for Material Design GUI hi resolution
desktop elements... on advisement I did a cursory single page search.
The results (more or less)...
http://webwarper.net/ww/~av/www.securit ... ransomware
https://www.rapid7.com/db/modules/explo ... k_svg_java
https://cyberoperations.wordpress.com/o ... e-browser/
http://thehackernews.com/2015/06/Stegos ... lware.html
http://www.binarytides.com/hack-windows ... x-exploit/
http://eromang.zataz.com/2013/05/27/fir ... loit-demo/
The above referenced exploits only pertain to compromising applications.
To the best of my knowledge (and I have a lot)... the potential for ANY
image file (or ANY file) to pose a security threat has been long known.
However... for ANY file to pose a threat @ boot time (on secure media)...
the system firmware would have had already been compromised.
Which makes the problems source... firmware payload NOT file payload.
I have already stated MANY times before... Linux
(and by extension Porteus) is " Secure by design ".
If an OS (including derivatives) and/or repo contains ANY
unverified files the problems source... would be it's developer.
Therefore... in regards to a secure (even better... "hardened") live OS booting on signed secure
firmware/hardware and media... @ this time NO file format poses ANY "known" credible system threat.
For as far back as can be remembered... all software (including commercial) comes with a use @ your own risk disclaimer.
The reason for this... is because developers realized early on... that software is only as safe as the person using it.
Posted by 73.112.16.59 via http://webwarper.net
This is added while posting a message to avoid misusing the service
about the merit of Scalable Vector Graphics (SVG) format
use in an OS either @ boot or as a Material Design GUI desktop element.
Since I have a keen interest in using SVG for Material Design GUI hi resolution
desktop elements... on advisement I did a cursory single page search.
The results (more or less)...
http://webwarper.net/ww/~av/www.securit ... ransomware
https://www.rapid7.com/db/modules/explo ... k_svg_java
https://cyberoperations.wordpress.com/o ... e-browser/
http://thehackernews.com/2015/06/Stegos ... lware.html
http://www.binarytides.com/hack-windows ... x-exploit/
http://eromang.zataz.com/2013/05/27/fir ... loit-demo/
The above referenced exploits only pertain to compromising applications.
To the best of my knowledge (and I have a lot)... the potential for ANY
image file (or ANY file) to pose a security threat has been long known.
However... for ANY file to pose a threat @ boot time (on secure media)...
the system firmware would have had already been compromised.
Which makes the problems source... firmware payload NOT file payload.
I have already stated MANY times before... Linux
(and by extension Porteus) is " Secure by design ".
If an OS (including derivatives) and/or repo contains ANY
unverified files the problems source... would be it's developer.
Therefore... in regards to a secure (even better... "hardened") live OS booting on signed secure
firmware/hardware and media... @ this time NO file format poses ANY "known" credible system threat.
For as far back as can be remembered... all software (including commercial) comes with a use @ your own risk disclaimer.
The reason for this... is because developers realized early on... that software is only as safe as the person using it.
Posted by 73.112.16.59 via http://webwarper.net
This is added while posting a message to avoid misusing the service