Newly-found hybrid attack embeds Java applet in GIF file

Researchers at NGSSoftware have developed a hybrid attack capable of hiding itself within an image and intend to present details on the exploit at the Black Hat security conference next week. New and esoteric attacks are part and parcel of what Black Hat is about, but this particular vector could target web sites with a particularly vulnerable population: MySpace and Facebook. Social networking web sites tend to attract younger users, and while this particular attack can be used in a variety of ways, embedding the hook in profile photos that are then seeded and targeted at the teen crowd could be a very effective tactic. HangZhou Night Net

The full details of the attack won't be available until next week, but Network World has managed to glean some key facts on its operation. The NGSSoftware team has found a way to embed a Java applet within a GIF; the hybridized file is referred to as a GIFAR. Just to make it clear, this is a file extension of convenience and not the literal name of any particular file type. The GIFAR exploit works because two different programs see the same file differently. The web server that actually holds the file sees it as a GIF file, and serves it accordingly, but when the "image" actually reaches the client, it's opened as a Java applet and run.

Simply viewing a GIFAR won't infect a system; the attack method requires that the user be linked to the hybridized infection from an appropriately malicious web site. Despite its name, this attack method is not limited to GIFs; ZDNet's Zero Day blog has additional information on the exploit, and states that a number of files could be combined with .JAR, including both JPEGs and DOCs. This seems to indicate that one could actually hide a Java applet inside another Java applet, and then tie both of them together with a BINK file, but the resulting mess would probably fail, even as comedic relief.

The root of the problem isn't within Java itself, but results from weak web application security. ZDNet's blog entry implies that the attack vector might be significantly reduced if web applications would actually parse a file's contents, rather than simply checking the extension. The research team will leave some details of the attack out in their presentation, to prevent immediate exploitation, and Sun intends to issue a patch that will serve as a short-term correction to the problem.