The researchers, from UK-based Next Generation Security Software (NGSS) and Ernst & Young LLP's Advanced Security Centre, say it can be used to gain access to a user’s browser on any site that allows images to be uploaded, such as social networking sites or eBay.
The file – known as a Gifar – looks like a .gif image to the host website, but is also combined with a .jar Java archive file. When 'displayed' in a visitor’s browser, the JAR runs as an applet and gives the attacker the opportunity to run Java code in the infected browser.
To the browser, the Java code will look like it has come from the legitimate site. The attack would work best on sites where users stay logged in for some period of time, say NGSS officials.
Last week, a report from security firm Websense, revealed that in the last six months, six out of 10 legitimate websites had at some point inadvertently hosted malware.
NGSS unveiled the Gifar attack at the Black Hat security conference, running this week in Las Vegas. But they kept back vital details to prevent attacks from being launched immediately.
Recently, Kris Lamb, head of IBM’s X-force security outfit, criticised security researchers for publishing vulnerabilities, saying the practice was tantamount to aiding cyber criminals.
To prevent Gifar attacks from proliferating, Sun is expected to tighten security in the Java runtime environment and websites could improve their filters to spot Gifars. But this would protect only against the one attack vector, says NGSS.
Ultimately browser security will have to be improved, say security experts.