Embedded JavaScript in GIF Can Launch XSS Attacks in IE

ZDNet's Zero Day security blog reported Friday that the lowly 256-color GIF picture file format can be used by deliver "drive-by" attacks.

According to Kapersky Labs analyst Roel Schouwenberg, GIF files can include embedded JavaScript, and under certain circumstances, can be used to launch a cross-site-scripting (XSS) attack. XSS attacks are both common and dangerous, as reported here previously.

Unfortunately, because you can't determine whether a GIF file contains JavaScript, it's much tougher to avoid potentially hostile websites - or compromised websites containing hostile JavaScript.

An Unheeded Warning

According to Zero Day, Schouwenberg warned Microsoft a long time ago about this vulnerability, Microsoft disagreed, and the vulnerability was never patched. He has contacted Microsoft again.

Apple Climbs Out of Browser Doghouse – Making Room for Microsoft

This vulnerability is reminiscent of the recent "carpet bomb" vulnerability in Apple's Safari browser, which was actually a combination of poor design choices by both Apple and Microsoft. Fortunately, it didn't take long for Apple to issue a revised version of Safari to stop the threat.

Let's hope Microsoft can take a hint - especially since Zero Day's report on the GIF threat indicates it's an in-the-wild problem that's already compromised at least one legitimate website.

Skull and crossbones courtesy of Webweaver.nu

COMMENTS:

0

TAGS: 

windows, Security, XSS, IE, JavaScript, GIF

Comments Print Email