Image-applet combo hack revealed

By

Security experts have developed a hybrid file type that looks like an image but can also run a Java applet surreptitiously in a browser.


Security experts have developed a hybrid file type that looks like an image but can also run a Java applet surreptitiously in a browser.

The researchers, from UK-based Next Generation Security Software (NGSS) and Ernst & Young LLP's Advanced Security Centre, say it can be used to gain access to a user’s browser on any site that allows images to be uploaded, such as social networking sites or eBay.

The file – known as a Gifar – looks like a .gif image to the host website, but is also combined with a .jar Java archive file. When 'displayed' in a visitor’s browser, the JAR runs as an applet and gives the attacker the opportunity to run Java code in the infected browser.

To the browser, the Java code will look like it has come from the legitimate site. The attack would work best on sites where users stay logged in for some period of time, say NGSS officials.

Last week, a report from security firm Websense, revealed that in the last six months, six out of 10 legitimate websites had at some point inadvertently hosted malware.

NGSS unveiled the Gifar attack at the Black Hat security conference, running this week in Las Vegas. But they kept back vital details to prevent attacks from being launched immediately.

Recently, Kris Lamb, head of IBM’s X-force security outfit, criticised security researchers for publishing vulnerabilities, saying the practice was tantamount to aiding cyber criminals.

To prevent Gifar attacks from proliferating, Sun is expected to tighten security in the Java runtime environment and websites could improve their filters to spot Gifars. But this would protect only against the one attack vector, says NGSS.

Ultimately browser security will have to be improved, say security experts.
Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?