Is this a Flash vulnerability, or an EXE file masquerading as a video download, or via user-added HTML markup, or something else?

Call me "old fashioned" if you like but in my opinion, if a web server were to host a file with "Content-type: video/avi" and it actually serves a binary executable, I would expect the web browser to display an empty rectangle with perhaps a red X through it with a message saying that the data was corrupted rather than it try to decide what the file was and run it.

I would expect it to do the same if the data cannot be decoded using only the content-type information as provided by the server and if that information was somehow out of step with the data stream, it should fail and display an error message.

Alas, I know that this will never happen.

wonder if it in the .flv file or .swf? strange could this burst the youtube bubble.

Is it possible for YouTube to automatically scan all uploads for malicious payloads or file types?

--

Neil Anderson

http://www.cyclelogicpress.com

Flash content is used by advertisers

every day is this a new threat or an old

one Google knows about advertising

they know how to keep this from happening

notice we haven't

heard of this before I would think it was fairly

common if it were easy to accomplish Elreg

knows all about corrupted ad servers this

seems like that sort of exploit.