There are a few sites offering free album art to fill in the blanks left after getting covers through the iTunes site. Since pictures are also a vehicle for distribution of unwanted devices to be installed on your hard drive, how does a person ensure they're getting art only?

Does anyone have an album art site that they've used and trust?

Finally, if the art is available anyway, why wouldn't iTunes have it?

ryck

I'm not sure what you mean by this, can you explain?

In any case, Amazon is a good source for album art, they also allow user-submitted pics that are, in some cases, better than what Amazon offers.

Be sure to check Amazon.co.uk as well, they sometimes have art that the US site doesn't.

The iTunes store is concerned with album art for titles they carry, not every album ever recorded by anyone. For example, I have a lot of music in iTunes that is not available through the iTunes Store. Several self-published groups, albums that are out of print (some converted from vinyl), etc. Using some of the alternate album art sites has enabled me to have album art for most, but certainly not all, of the albums and tunes in my iTunes library.

AFIK all of the graphics exploits have been discovered long after I filled in the blanks in my album artwork so to be honest, I have never been overly concerned with the security of the downloaded album art. If I were to download some today it would be downloaded to my designated Download folder and automatically scanned by ClamX AV. If anything were found, ClamX AV will automatically move the file to a quarantine folder, notify me of the quarantined file, and I will simply delete it without ever opening it.

As for recommending a site I have often had little or no option for some of my album art. I have to get it where I can find it. To give myself some degree of protection, I use OpenDNS which keeps track of known or suspect sources and depending on my chosen settings and security levels either blocks a site altogether or warns me when downloading from a risky site. They can do a much more thorough job of keeping track of that sort of thing than I, or any individual, ever could.

There are FTM members better equipped than I to explain the technicalities but, as I understand it, the code for things like viruses or devices to collect information can be hidden in the code for an image. By viewing or using the image, the recipient unknowingly provides an invader with access to their hard drive.

I'm sure someone will provide a better explanation.

ryck

To make it easier if you decide to use Amazon as an album art source, download from Apple the Amazon Art Widget.

It finds the art and allows you to easily add it to albums in iTunes.

This is only an issue with compressed pictures. Uncompressed formats like TIFF are always interpreted as pictures.

When a picture is compressed, like jpeg, gif, pdf, etc, the file can contain instructions for how to uncompress the image, and parameters for use in the decompression.

If the decompressing program is poorly written, invalid information can be used to make a "specially crafted image file" as the security people would say. Usually the goal is to exploit a bug in how the decompressor handles unexpected, uncommon, or invalid compressed data. Sometimes it causes the decoder to crash. In the worst cases, it causes the decoder to generate more picture information than it's expecting to, and the information overflows from the picture data in memory into other memory being used for other things, like to store running programs. This is a "buffer overflow". The worst outcome of that is that the decoder is tricked not only into overflowing its buffer, but doing so in a very specific way, storing very specific information in the overflow. This information can wind up in the middle of a running program, and can then get executed as program instructions. At that point, the picture has created a running program, usually running under the authority of the decoder. Security people call this "arbitrary code execution".

If the decoder is "sandboxed", the rogue program can't usually do a lot because it doesn't have access to the entire computer, but that is sometimes combined with other exploits (code that takes advantage of bugs that create security risks) that allow code to break out of the sandbox. This can result in "privilege escalation", meaning the rogue program has more access to the computer than the picture decoder.

The recent "browse to this web page to jailbreak your iphone" page takes advantage of these two issues to overwrite protected programs on the iphone to jailbreak it, simply by browsing to a web page that has a specially crafted image file that exploits a bug in the browser's image decompressor, causing a buffer overflow and code execution, and the code exploits a privilege escalation to perform the jailbreak.

So, simply attempting to view a compressed picture (or video) can be risky, if your picture viewing software isn't secure and bug-free. Quicktime has been an ongoing target for malware, but Apple does a pretty good job of keeping on top of it. The mere presence of quicktime on a mac is a huge plus - programs that want to render images and video don't have to do it themselves and make sure their code is perfect - they rely on Apple's quicktime APIs to do all the picture decoding so all the security is in one central place, carefully managed and maintained. Windows only recently started centralizing image and video decoding, so internet explorer, an app with all the image rendering inside it, has always been a popular target for malware and gateway into your computer.

I've downloaded the software and have been goofing with it for a couple of days....am leaning toward sending some dough. So far the only drawback is that it doesn't have a manual for the Snow Leopard version. C'est la vie.

ryck

Thanks. Good tip.

ryck

First, thanks for taking the time to write such a comprehensive reply.

I've been playing with ClamXav and note that under Preferences>Exclude Files there is a caution: "ClamXav will not scan anything whose name or extension matches a text pattern below. Text patterns are case sensitive."

Then, two of the default settings are:

Exclude files ending in jpg
Exclude files starting with foo

It seems to be at odds with what it should do. Or am I misunderstanding something?

ryck

Beyond the hiding of malicious content within genuine image files, there was also the whole "fake" image file approach, in which Safari's Open "safe" files after downloading preference could be combined with one of OS X's peculiar file association mechanisms to allow what appeared, in the case of the sample exploit, to be a JPG to deliver a malicious Terminal script that would launch automatically upon being downloaded and, say, wipe out the user's Home directory.

This vulnerability was somewath obscurely titled Mac OS X File Association Meta Data Shell Script Execution in Secunia's initial report. At the time, much was made of Safari's role in this vulnerability, but the real problem seemed to be with Launch Services.

The clearest explanation of the entire imbroglio seems to have been that offered by Daring Fireball's John Gruber.