New Attack: Combine Files With Jar Scripts

Martin Brinkmann
Aug 1, 2008
Updated • Dec 8, 2014

A new attack, dubbed Gifar by their creators named after the two file types that they mixed to create the attack (Gif and Jar), was mentioned in a Black Hat Sneak Preview article over on ZDnet.

Not every aspect of the attack was revealed in the preview but what it made clear was that the researchers who found the issue combined two files for that.

What is interesting about this attack is that it combines the two files gif and jar in the attack. The container file type is shown normally in the browser but the Java applet is executed at the same time as well provided that Java is enabled and installed.

Many file and image hosts filter dangerous file types. If you tried to upload a Jar file to most of them you would get an error message stating that the file type was not supported.

Many however fail to analyze the file itself and simply reject files based on their extension which opens the door for this attack.

That's a pretty dangerous exploit. Imagine someone who uses this to upload a new avatar to popular websites like Facebook or Myspace (two examples, I have not checked if the two use advanced upload filters). It could do all sorts of things with the Java Applet once users open up the profile page and are exposed to the profile image.

The only valid defense against this type of attack is to disable Java on the computer for the moment. Sun is already working on a fix although the researchers say that it is not Sun's fault that this vulnerability exists.

Update: Most web browsers block Java from running automatically nowadays and some block old versions of Java from being loaded at all by them.

Google announced recently that it will retire all "old NPAPI" plugins starting January 2015 in all versions of the company's Chrome browser.


Previous Post: «
Next Post: «


  1. Jonathan said on August 3, 2008 at 8:11 am

    Again, this is the exact reason I use Firefox with No-Script. I would never go back to IE or any other browser, unless they had a script blocking feature.

  2. Martin said on August 1, 2008 at 8:50 pm

    Chris this one is different since both files are executed when the browser opens them. You see the image and think everything is fine while a Java applet is executed in the background.

  3. Chris said on August 1, 2008 at 8:45 pm

    I have heard of hiding files using winrar that combines them into a single picture, but usually the hidden features of the file can only be opened by changing the extension of the file.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.