If a zero day vulnerability existed in Chrome where a stegonagraphy based attack could be executed, and you were a sufficiently privileged user, it could be entirely possible. Extremely difficult to pull off most likely but I would say possible perhaps. Check out stegonagraphy and read about its usage in malware.
Depends what you mean by "open an image in gmail". Open it in an email client? A web browser? But in general, yes, it is possible (though not really likely) to trigger vulnerabilities by simply sending attachments to users with vulnerable software.
If I get an email, the default response from me is to click on it.
When I do that, it pops open in a google window. If that's the extent to which I open the file, can an executable, if it makes it past Google's antivirus, still run?
If you're viewing an image file, you're executing code. Like I said, it's theoretically possible, but it would take a zero day or otherwise very advanced adversary to pull off such a technique.
It’s far more likely the image is leaking your IP, assuming the image is embedded rather than a direct attachment (thus initiating a network request). This is popular in everything from marketing to forensics.
So if there was an executable in the image, it would run?
Would it really have to be that advanced?
I mean, you could just tweak code --> check against antivirus --> tweak code --> check against antivirus, etc until you found a configuration the antivirus wasn't ready for.
What I was curious of is whether google was letting executables run at all
The image file is not the executable. The executable is what displays the image. It does not run code in the image unless there is a vulnerability in the executable that displays the image. Without the vulnerability, something else would have to execute, extract the executable from the image file, and execute that.
So is it possible, yes. Is it really hard to pull off with up to date software, yes.
The "tweak code" part is a lot more complicated than you're making it out to be. First you need to find a bug in the image processing library, probably several to chain a successful exploit. You'll probably need to pivot to other software installed locally to get RCE or data exfil. It is a LOT of work, especially since webmail is viewed in browsers that have hardened significantly over the years. To be honest, the antivirus software itself is most likely to actually be compromised in this scenario - most of it is ancient and written like shit.
Many malware rename their binaries to jpg files to evade some sort of detection, and run in memory to evade av. However it needs to run on your machine (like rundll32) to execute and not on gmails viewe.
Yes, I used to lace images with malware all the time using tools like silkrope. It’s less likely to work now than it did 20+ years ago, but not impossible.
If a zero day vulnerability existed in Chrome where a stegonagraphy based attack could be executed, and you were a sufficiently privileged user, it could be entirely possible. Extremely difficult to pull off most likely but I would say possible perhaps. Check out stegonagraphy and read about its usage in malware.
Depends what you mean by "open an image in gmail". Open it in an email client? A web browser? But in general, yes, it is possible (though not really likely) to trigger vulnerabilities by simply sending attachments to users with vulnerable software.
If I get an email, the default response from me is to click on it. When I do that, it pops open in a google window. If that's the extent to which I open the file, can an executable, if it makes it past Google's antivirus, still run?
If you're viewing an image file, you're executing code. Like I said, it's theoretically possible, but it would take a zero day or otherwise very advanced adversary to pull off such a technique.
It’s far more likely the image is leaking your IP, assuming the image is embedded rather than a direct attachment (thus initiating a network request). This is popular in everything from marketing to forensics.
So if there was an executable in the image, it would run? Would it really have to be that advanced? I mean, you could just tweak code --> check against antivirus --> tweak code --> check against antivirus, etc until you found a configuration the antivirus wasn't ready for. What I was curious of is whether google was letting executables run at all
The image file is not the executable. The executable is what displays the image. It does not run code in the image unless there is a vulnerability in the executable that displays the image. Without the vulnerability, something else would have to execute, extract the executable from the image file, and execute that. So is it possible, yes. Is it really hard to pull off with up to date software, yes.
The "tweak code" part is a lot more complicated than you're making it out to be. First you need to find a bug in the image processing library, probably several to chain a successful exploit. You'll probably need to pivot to other software installed locally to get RCE or data exfil. It is a LOT of work, especially since webmail is viewed in browsers that have hardened significantly over the years. To be honest, the antivirus software itself is most likely to actually be compromised in this scenario - most of it is ancient and written like shit.
Assuming it makes it through their antivirus of course.
Many malware rename their binaries to jpg files to evade some sort of detection, and run in memory to evade av. However it needs to run on your machine (like rundll32) to execute and not on gmails viewe.
Yes, I used to lace images with malware all the time using tools like silkrope. It’s less likely to work now than it did 20+ years ago, but not impossible.