Are .png files a security threat?

theforce

theforce

theforce

Associate
Joined
5 Jan 2005
Posts
2,239
Location
Cyprus
I got a new job at a web design firm and l was exporting some vector images from CorelDraw to insert in Photoshop. I was exporting as .png since it provides much better image quality that .gif. I was using .png files at my previous job with no problems. I have neither read anything saying that .png files are a security threat.

My boss walks in and tells me that l shouldn't be using .png files since they can be exploited and generally are considered as a security threat. Since l am new at work l didn't want to get into an argument with him.

So l was hoping someone to shed some light into this since l don't want to use .gif files :(
 
Your boss is making a mountain out a mole hill.

While there has been vulnerabilities in both GIF files and PNG files (Microsoft & Linux), it requires a specially crafted file to attack.

You can't take an image file you export and somehow attack a user directly. Image files are exploited by replacing or modifying a good image with a specially crafted one that contains malicious data. Once this is done, you give it to the victim who must be running a vulnerable PNG image decoding library. All these libraries are patched and (to date) safe and secure.

So, a) keep image files secure so they can't be altered. b) Keep image viewing software well patched. c) don't worry too much about it, 90% of major file formats .doc, gif, jpeg etc all have had exploits in the past.

In short, PNG > GIF (except maybe for some cross-platform stuff?)...

Maybe if PNG was a neglected format that hadn't been touched in 5 years you would have something to worry about, but otherwise everything has bugs.
 
Last edited:
[Slightly off topic]

Wouldn't you be better off exporting from Corel as an eps (vector)? You are then free to size it however you like as you import it to Photoshop.
 
Thanks for the replies guys.

Yes, Pho l could export as .eps and have greater flexibility in Photoshop. It is just a matter of habbit l guess. The client will just receive a .jpg image of the site anyway for preview before saying it is ok with the design. Later on l would still require the .png to import in Dreamweaver when l am building the website.
 
Last edited:
Mammalian said:
i thought dreamweaver was for kids :/
Click to expand...

What's kid-like about this?

dw.png
 
Dreamweaver is a fine software. At the end of the day the end result is what it counts.
I didn't heard anyone saying Dreamweaver is an amateur program since many companies require you to know it. You could create everything using Notepad or other similar tools but l simply enjoy working in Dreamweaver rather than looking a wall of text :)

I sometimes have to argue with people telling me that Coreldraw is crap and l should be learning Illustrator. Again it is what you can do with the program and that l don't want to invest the time to learn a new program that pretty much does the same thing as the program l am currently working with.

SwishMAx is another of those programs that is considered crap from die-hard Flash fans. While in this case l admit that Flash is more professional and can do more stuff, l can still build complicated flash websites in Swishmax in less time since the one area that Flash is not as good as SwishMax is user interface.
 
PNG files aren't considered a security threat. If he was a native American, his name would be Talking removed. Fully star out swear words!
 
Last edited:
Tell ya boss the internet can be exploited and generally is considered a security threat. Tell him he should disconnect from the network.... and then tell him to shut the Please star out swearies. Thanks. up.
 
theforce said:
I didn't heard anyone saying Dreamweaver is an amateur program since many companies require you to know it. You could create everything using Notepad or other similar tools but l simply enjoy working in Dreamweaver rather than looking a wall of text :)
Click to expand...

Wait, you actually use design view to build sites in a web design company? Who lets you get away with that? God knows what extra mark-up your clients are getting.
 
Your boss should push that notion up his bum. Select png and jpg based on your content type and acceptability of losses.
 
gord said:
Wait, you actually use design view to build sites in a web design company? Who lets you get away with that? God knows what extra mark-up your clients are getting.
Click to expand...

I don't use design view to build the website; l write the code myself but it is nice to have the design tab up since it gives you a good realtime indication of what you are doing. Much lesser refresh buttons pressed on browsers :)
 
theforce said:
I don't use design view to build the website; l write the code myself but it is nice to have the design tab up since it gives you a good realtime indication of what you are doing. Much lesser refresh buttons pressed on browsers :)
Click to expand...

Oh, phew, sort of. If my work laptop was powerful enough I would have my browsers open and just F5 it. I don't trust design view to give me anything good, and would much rather test exactly how my users are going to see my site.

Don't get me wrong, DW is a great development environment, its just the great bit isn't the design view.
 
You must log in or register to reply here.
Back
Top Bottom