Downloads: How different files can be harmful

What makes a file dangerous

Files can be dangerous in many ways. Recently, we have seen more high-profile cases of non-executable files being exploited. There has been a number, but the one with the highest profile was Webp. Webp is a modern file format built to replace the older JPEG standard; however, there was a major bug that allowed arbitrary code execution on a target device. This was a very critical security flaw, and it was lucky to have been found by researchers who reported the issue. This type of issue is rare and is a stark reminder to keep your application up-to-date and ensure you have continued security support.

While with the webp bug, malicious images could perform arbitrary code execution, but this attack vector is often exploited from a much simpler angle. By getting a user to open an executable program. This means the program and the code contained within will be executed on the system running it. If the code is malicious, then running it will be dangerous and should be avoided at all costs. How can you tell? Well its very hard and time consuming to examine a program. Some programs are easier than other to examine. It is never good to execute something you do not trust.

Each system has various files that can be executed. Windows has the .exe; Apple Mac does not have the same type of executable; they have more secure apps. However, on Mac, you can also install other forms of binary applications if you want to bypass the app store. These other forms of binary, too, can be dangerous. Most desktop operating systems also allow other programmes to be installed, which allows users to run other programs. These programs, too, have custom file extensions like .py and can be dangerous to open. In the case of .py, it will be opened by the Python interpreter. Python is a scripting language that’s installed by default on many desktop operating systems and powers lots of great applications.

How can dangerous files be prevented

The safest way to prevent dangerous files is to never download them. If you never have them, then there is no way to mis-click and open something that you don’t intend to.

Understanding the file format you open

Before downloading or accessing any file via any medium, you must first find the file extension. Sometimes operating systems don’t show you the extension directly, and you must instruct it to show the full file name. When the full file name is not displayed, the extension can be found in the extension file column of the file explorer.

When opening a file on a desktop computer, you should understand all of the programs that can open the file format. When clicking on a file, the computer looks at the extension (that part at the end, like somefile.txt is a txt file). It then opens that file with the application installed as the default for the given file extension. For example, on Microsoft Windows, when you open a .exe file Windows will run that with the builtin exec function. This means that running a .exe file is something that should only be done if you trust the program you are running.

On Apple mobile systems, instead of opening a file with an application, you must send the file from one application to another. Either directly or by explicitly giving it the application permission to access a file.

Safe ways to execute files

You can also isolate the user and file system that you are giving access to execute within. To isolate, you can run any program on a dedicated user or within a virtual machine. This can give some form of security, however it is not impossible to hack out of a virtual machine. And many programs require using super user permissions, which removes lots of protections.