Black Hat: Beware of GIFAR
LAS VEGAS -- We've known that image files could potentially be malicious for some time, but there is now the potential for a super blended attack that could cause widespread damage.
In a session today at Black Hat Ernst and Young security researcher Nate McFeters (joined by Rob Carter and John Heaseman) detailed how a GIFAR attack could propagate. GIFAR is an combination word for GIF and JAR (Java archive). The idea is that the JAR applet is contained inside the GIF file. So a website could be hosting what looks like a harmless image file which in fact under the right circumstances could also be called as applet. The Java Virtual Machine (JVM) is capable of calling files with a number of different extensions, including GIF.
Thanks to a number of different violations of same domain origin policy, McFeter's argued that it could be possible to actually have the GIFAR hosted on a domain and then be able to wage attacks again all others on that domain.
But what about other sites? Personally I think sites that aren't as security focussed as Google could likely be ripe target for GIFAR. This is one massive multi-headed attack that I for one think deserves to be taken seriously by all domain owners that host images (and that's nearly everyone..).