Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can I get malware from a picture?

Question:

Leo, I am terrified of getting a virus or some form of malware by clicking on a photo on the web such as an image in Google Image Search or on a forum where someone has posted a thumbnail image to a larger photo. I frequent a photo sharing website and asked the webmaster about this and he sent me this reply: “Well, technically speaking, a picture cannot contain malware. A picture can contain malicious code, which can only be executed by computers, which are already infected with a special virus designed to execute that malicious code. The name of that virus is “Perrun” and it’s more of a proof of concept than an actual virus. If you’d like to be on the safe side, I suggest you look for a freeware online to verify that you are not affected with the “Perrun” virus. Then you can click any photo you want on the web and not worry about catching anything.”

Now I use Google Chrome as my default browser and I frequently use the right-click “Search Google for this image” feature and find the highest resolution of a photo. I have even installed the VirusTotal.com VTchromizer extension to my browser and use it to pre-scan every photo. But still, just the act of right-clicking a thumbnail image worries me. Please help me. Am I worrying for no reason or am I at risk?

This is an interesting question for a number of reasons.

The pragmatic answer is no. You’re not going to get malware from a picture and it’s not something I’d worry about at all.

However, behind that answer are a few very important assumptions that I think people need to understand.

Become a Patron of Ask Leo! and go ad-free!

Updates are key

This type of thing is one of the big reasons that people in my position keep insisting that you keep your operating system and your applications up to date. That means accepting and installing Windows updates. That means taking application updates and patches, and driver updates.

Here’s why: It is possible that if there is a bug in the any of the software that displays images; including the web browser itself, the operating system, video drivers, photo editing applications or elsewhere, that in some rare cases that bug could be exploited by a maliciously crafted image.

You don’t need to be already infected; you just have to have unpatched software in a world where there’s a known and unpatched vulnerability.

So, theoretically, it is possible.

I believe that years ago photos were used to infect computers with malware. You didn’t have to click on anything; you didn’t have to do anything other than display an image, which would then actually take advantage of this vulnerability that was in, I think, the display driver.

Still, if you keep your machine up to date it is nothing that I would worry about at all.

Virus in a Picture?Images from where?

However, there is a part of your scenario that actually does concern me just a little bit more. It’s not a big thing but, it is something worth being aware of.

I have a love/hate relationship with Google Image Search. It’s awesome to find images. As you say, finding the maximum resolution version of an image is in fact a very useful way to use Google Image Search. My personal problem is that many people use the images that they find on the internet without any regard for copyright. Image Search makes that even easier.

More to the point, however, is that typically, the images you find through Google Image Search will be hosted on websites that you’ve never heard of. So, how do you know that those sites are trustworthy?

You don’t.

If you visit these sites it’s not the pictures that will get you; it’s the sites that host them. If you land on a malicious website, it could in fact do bad things to your machine. Yes, Google pre-screens somewhat, but ultimately, you don’t really know.

Be prepared

However, as long as you’re prepared, I’m not too worried about you getting malware this way either.

What do I mean by prepared? Well, first, make sure that you have up to date anti-malware protection: an anti-virus program, an anti-spyware program and so forth. Make sure that you have the most current versions of these programs, and that they are downloading database updates regularly. (By regularly I mean daily, and in some cases even more often).

In your case, I would make sure that at least your anti-virus tool has real-time scanning turned on. With real-time scanning, the anti-virus tool is scanning what you download and the sites that you visit. So if you visit a site or page that attempts to download something malicious, the tool should catch it.

Second, make sure that you’re using common sense. If a website hosting an image seems the least bit suspicious to you, don’t visit it. Period. A website reputation service such as Web of Trust can come in handy. It will help you determine whether or not a website is potentially dangerous before you visit.

Ultimately, as long as you follow the standard steps to staying safe online, I really don’t think you need to worry.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

1 thought on “Can I get malware from a picture?”

  1. I agree with everything Leo said;
    I will further emphasize preparedness by saying make sure your doing monthly backups to an external hard drive.
    I will emphasize having a secondary malware scanning utility on hand in case a virus were to get by you regular antivirus. a program like Malwarebytes Anti-malware.
    Interesting is the chrome extension tool “VTchromizer” that I never have heard of before. I have visited Virustotal.com and uploaded web addresses, and files I thought were suspicious, but never knew they had that option, so that was nice to learn.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.