Execute… your photos?

I came across an interesting piece of software today – a runnable archive of photos. It seems a relatively popular document management system (that shall remain nameless) has a “feature” that lets you export photos as an executable program – the photos and photo viewer application are all packaged together in one executable file, which you can run to view and save the image files.

I just need to stop right here to emphasize what a bad idea this is. All the spammers are trying to get you to run the junk they send out – anything from a codec update for the latest Hot Naked Angelina Video, to a free antivirus scanner – when what you are really getting is a Trojan of some variety. To avoid viruses, security best-practices recommend against running programs received via email. And yet here is a legitimate organization suggesting you do just that – create programs to send via email where the message content will sound quite spammy, e.g. “Hey, Here are the Christmas photos from the weekend. Just run the attached file to view all the pics. Check them out, they are hilarious!” – nice and vacuous yet believable; is it a spammer or your friend…

And I don’t even buy the argument that the viewer-plus-photo-archive concept is convenient – actually, I think it’s horribly inconvenient. First off, the photos are wrapped in a Windows executable (actually, in the cleverly named New Executable file format, which is now quite old) – so you’re stuck viewing them on a Windows machine. I have Linux and Mac machines, so I would have to fire up a VM just to gander at the image contents. Naturally, there’s no (easy) way to extract the images straight from the executable without running the wrapper program – the image files are Lempel-Ziv compressed and embedded in the executable in a proprietary format. So you are forced to hunt down a Windows box to run, view and extract the images. And if you tend to read your email on your phone, I’m willing to bet your hardware will not agree with this exe. So yeah, convenient? I don’t think so.

But convenience is a subjective matter. On the whole, my major concern here is that these types of “features” promote unsafe computing practices – practices that can easily lead to a malware infection, which is undeniably an inconvenient situation to be in. Perhaps such a feature was more useful when the New Executable file format was actually ‘new’, but these days every platform has an image viewer, there are many widely supported archive file formats, not to mention several free online photo hosting services, which all make distributing pictures rather seamless.

So, if you’re thinking about creating one such photo-wrapper-program to send out, consider the damage you are doing to the safe computing habits of your friends, family and/or co-workers. If you’re still thinking about sending a photo wrapper program, it’s time to stop thinking and do what I’m telling you.