GIFAR Image Vulnerability
Researchers at NGS Software have developed a method to embed malicious code into a picture. When the picture is viewed, the malicious code embed in the picture could send the attacker the credentials of the viewer. Social sites like Facebook, Myspace, or Digg are particularly at risk, but the researches say that any site which includes log ins and user uploaded pictures could be vulnerable.
The attack is a simple mashup of a GIF picture and a JAR. The code in the JAR is compiled and then combined with the info from the GIF. The GIF fools the browser into opening the image as a picture but the Java VM recognizes the JAR part of the file and runs the code.
The researches claim that there are multiple ways to deal with this hole. Web apps could continuously check for hybrid files and filter them, but they say that this really needs to be dealt with at the browser level. This could not only put images at risk, but nearly all browser content.
More details on the GIFARs will be presented at Black Hat this week in Las Vegas.
