Dermot Paikkos wrote:
Someone I sent an image to wrote back and said the image (jpeg) had a virus. They sent a screen-shot of a Norton Anti-virus alert saying that the file had detected and blocked an intrusion attempt. The intrusion was a "ICC profile TagData Overflow". I have examined the file and it has an Adobe RGB (1998) icc profile. No errors are reported from PS or IM about the file.
Try checking with Argyll's iccdump - it does reasonably tight checks on bad ICC formatting. The ICC were supposed to be working on an ICC profile verifier, but I'm not sure what it's status is. You could try looking around the ICC website.
According to the report at http://www.kb.cert.org/vuls/id/720742 this is a potential expolit of 'icm32.dll' and limited to Windows machines.
It could be that Norton is just getting an accidental virus signature match to something in the profile, but the reference to icm32.dll does hint that this is something more specific, and that there is a particular "hole" in the icm32.dll, which a carefully crafted icc profile may exploit (stack or integer overflow bug for instance), and that Norton is warning of this possibility with that particular profile.
What I am trying to work out is, will all people with this version of Norton get this message if they attempt to download a file with an ICC profile in? I know Norton are the people to ask but I'd get blood out of a stone quicker.
Probably. Graeme Gill. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Lcms-user mailing list Lcms-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lcms-user
