New Attack: Combine Files With Jar Scripts

A new attack, dubbed Gifar by their creators named after the two file types that they mixed to create the attack (Gif and Jar), was mentioned in a Black Hat Sneak Preview article over on ZDnet.

Not every aspect of the attack was revealed in the preview but what it made clear was that the researchers who found the issue combined two files for that.

What is interesting about this attack is that it combines the two files gif and jar in the attack. The container file type is shown normally in the browser but the Java applet is executed at the same time as well provided that Java is enabled and installed.

Many file and image hosts filter dangerous file types. If you tried to upload a Jar file to most of them you would get an error message stating that the file type was not supported.

Many however fail to analyze the file itself and simply reject files based on their extension which opens the door for this attack.

That's a pretty dangerous exploit. Imagine someone who uses this to upload a new avatar to popular websites like Facebook or Myspace (two examples, I have not checked if the two use advanced upload filters). It could do all sorts of things with the Java Applet once users open up the profile page and are exposed to the profile image.

The only valid defense against this type of attack is to disable Java on the computer for the moment. Sun is already working on a fix although the researchers say that it is not Sun's fault that this vulnerability exists.

Update: Most web browsers block Java from running automatically nowadays and some block old versions of Java from being loaded at all by them.

Google announced recently that it will retire all "old NPAPI" plugins starting January 2015 in all versions of the company's Chrome browser.

Advertisement