With an estimated 500,000+ new malware signatures developed each day, implementing effective cyber-security policies is an extremely difficult task – but our list of threats doesn’t end there. Malware is, unfortunately, only one of many weapons found in a threat actor’s cyber-attack arsenal.

Understanding the Threat of Invalid Image Files

Image format manipulation is one example of a critical non-malware attack vector which most antivirus solutions aren't configured to detect. By crafting malicious image files with special formatting, threat actors can exploit zero-day vulnerabilities in the libraries and tools we rely on to process and buffer image uploads & downloads. These vulnerabilities can sometimes crash our applications or pave the way for arbitrary code execution.

Examples of Image Formatting Vulnerabilities

There have been many examples of critical image processing vulnerabilities in recent years, and we'll highlight two significant examples here.

One example we can look at is a heap-based overflow vulnerability (CVE-2023-4863) that was recently identified within libwebp, a WebP codec library commonly used in web browser applications. By crafting a malicious WebP file, a threat actor could ignore heap buffer boundaries in libwebp and cause the target application to crash, resulting in a denial-of-service attack.

We can also look at a somewhat similar vulnerability (CVE-2022-3570) found one year prior in tiffcrop, a utility within the libtiff library used for selecting, copying, and cropping TIFF image files. Using a specially crafted TIFF file, an attacker could exploit this vulnerability to enable out-of-bounds access in the target application, allowing them to steal sensitive information from their attack victim.

Detecting Invalid Image File Threats

Unlike files infected with viruses or malware, invalid image files aren’t going to get flagged by our regular antivirus software. Rather, threats of this nature can be mitigated more effectively with rigorous content validation policies. If we can determine that image files are flawed before they reach a potentially vulnerable image processing technology, we can eliminate the threat of those files ignoring heap buffer boundaries, enabling out-of-bounds access, or triggering other contextually exploitative scenarios.

The need for stringent content validation adds a challenging parameter to our existing content security architecture. Thankfully, however, we don’t necessarily need to think of antivirus scanning and content validation separately. If we can perform antivirus scans AND validate file contents simultaneously, we can significantly improve our threat profile while reducing the cost (in time and resources) of managing multiple separate cyber-security solutions.

Content Verification & Validation with the Cloudmersive Advanced Virus Scan API

The Cloudmersive Advanced Virus Scan API combines a cutting-edge malware detection sandbox with custom content validation parameters, resulting in unique 360-degree protection for our image uploads and downloads (this service also supports dozens of additional document types, including all Office file formats and PDFs). Invalid image files can be flagged through the allowInvalidFiles parameter, and we can restrict myriad unwanted image formats altogether by entering a comma-separated whitelist of acceptable format types (e.g., “.png,.webp,.jpg”) into the restrictFileTypes parameter.

This API can be deployed as a no-code solution in a variety of strategic locations, including at the network edge (i.e., network proxies & ICAP servers) or adjacent to sensitive cloud storage buckets, and it can be accessed directly as a low-code solution through API calls to the cloud. This dynamic threat scanning service can significantly improve our threat profile.

For more information on the Cloudmersive Virus Scan API, please feel free to reach out to a member of our sales team.