This is the first I've heard of this, but one of our top global clients just notified their account executive, that we need to stop sending them emails since they are currently being blocked - because the emails contain references to .PNG image files. Apparently, malicious code can be transported via PNG files. Is this true? And are some spam/security filters now configured to block emails with PNGs?
Theoretically, it’s possible for any file to have a virus. For non-executable ones – like PNGs – you still need an executable (.exe, .js, .zip, .rar, etc.) to trigger it (which is why all scripts of any sorts are stripped from emails – e.g., why we can’t embed a video in an email). This is the first we have heard of a customer informing us that they are blocking our emails because of the inclusion of PNGs.
Perhaps their spam filter needs to whitelist you.
Or you should check your PNGs. There's always the possibility of JPEGs, etc having encoding that hides information. I'm sure you could look up the details. Why wouldn't they just default to using Image blocking?
Never heard of this but I remember that a few years ago, JPG would be suspect of being possible virus vectors. I suppose that any anti virus system can detect an infected JPG, and this si the same for PNGs. So just blocking the whole email does not, IMHO, make much sense.
And BTW, a quick search on google show this risk had been in the air since 2013.
Yeah, the problem is when a non-executable format becomes executable due to a bug in the surrounding environment. There doesn't need to be an outside executable, though, just a bug in an existing app (such as a mail client, browser, photo editor, or low-level programming library).
We know you can embed non-image sections in image formats: those sections could be compiled+obfuscated binary code; plain-text commands, like Windows batch, SQL, or JS; or a nonsense sequence that's not technically executable, but is known to crash apps that read it.
The important part for attackers is finding an app that either [a] doesn't sanitize input properly or [b] is itself in charge of sanitizing and has a vulnerability. So in the course of ostensibly opening an image file it accidentally allows memory to be overwritten with malicious code -- or, like I said above, just crashes the app due to a null pointer, buffer overflow, etc.
Think about if you could craft a malicious PNG that crashes a PNG fixup utility. If every PNG that enters a company passes through the same filter and malicious PNGs are capable of crashing the filter itself, you'd have little choice but to block PNGs completely.
All that being said, I would strongly question how anyone could operate for more than a day if they are blocking PNGs. This would have to apply to web filtering as well, or it makes no sense.