LAS VEGAS — We’ve known that image files could potentially be malicious for some time, but there is now the potential for a super blended attack that could cause widespread damage.
In a session today at Black Hat Ernst and Young security researcher Nate McFeters (joined by Rob Carter and John Heaseman) detailed how a GIFAR attack could propagate. GIFAR is an combination word for GIF and JAR (Java archive). The idea is that the JAR applet is contained inside the GIF file. So a website could be hosting what looks like a harmless image file which in fact under the right circumstances could also be called as applet. The Java Virtual Machine (JVM) is capable of calling files with a number of different extensions, including GIF.
Thanks to a number of different violations of same domain origin policy, McFeter’s argued that it could be possible to actually have the GIFAR hosted on a domain and then be able to wage attacks again all others on that domain.
McFeters repeatedly cited Google as an example of how something could be executed, though he was quick to note in numerous cases that Google has been responsive and has patched for the issues that he found.
But what about other sites? Personally I think sites that aren’t as security focussed as Google could likely be ripe target for GIFAR. This is one massive multi-headed attack that I for one think deserves to be taken seriously by all domain owners that host images (and that’s nearly everyone..).