Ngs

Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.

The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.

The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.
More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.

Hackaday

1 Articles

The GIFAR Image Vulnerability

Search

Never miss a hack

If you missed it

Mining And Refining: Uranium And Plutonium

Programming Ada: First Steps On The Desktop

The Hunt For MH370 Goes On With Barnacles As A Lead

MXM: Powerful, Misused, Hackable

VCF East 2024 Was Bigger And Better Than Ever

Our Columns

Hackaday Podcast Episode 268: RF Burns, Wireless Charging Sucks, And Barnacles Grow On Flaperons

This Week In Security: Cisco, Mitel, And AI False Flags

Keebin’ With Kristina: The One With The Transmitting Typewriter

Supercon 2023: Alex Lynd Explores MCUs In Infosec

FLOSS Weekly Episode 780: Zoneminder — Better Call Randal

Search

Never miss a hack

Subscribe

If you missed it

Our Columns