during Aaron's presentation last night we discussed how a static video or
image file could be used to infect a computer.
Here's a group that used a DNA sequence to exploit a buffer overflow in an
application that searches DNA sequences.
In this case they cheated, by adding the vulnerability, but it
demonstrates what we were discussing at the meeting last night.
“The conversion from ASCII As, Ts, Gs, and Cs into a stream of bits is
done in a fixed-size buffer that assumes a reasonable maximum read
length,” explained co-author Karl Koscher in response to my requests for
more technical information.
That makes it ripe for a basic buffer overflow attack in which programs
execute arbitrary code because it falls outside expected parameters. (They
cheated a little by introducing a particular vulnerability into the
software themselves, but they also point out that similar ones are present
elsewhere, just not as conveniently for purposes of demonstration.)