Security experts at have developed a hybrid file type that looks like an image but can also run a Java applet surreptitiously in a browser.
The researchers, from UK-based Next Generation Security Software (NGSS) and Ernst & Young LLP's Advanced Security Centre, say it can be used to gain access to a user’s browser on any site that allows images to be uploaded, such as social networking sites or eBay.
The file – known as a Gifar – looks like a .gif image to the host website, but is also combined with a .jar Java archive file. When 'displayed' in a visitor’s browser, the JAR runs as an applet and gives the attacker the opportunity to run Java code in the infected browser.
To the browser, the Java code will look like it has come from the legitimate site. The attack would work best on sites where users stay logged in for some period of time, say NGSS officials.
Last week, a report from security firm Websense, revealed that in the last six months, six out of 10 legitimate websites had at some point inadvertently hosted malware.
NGSS unveiled the Gifar attack at the Black Hat security conference, running this week in Las Vegas. But they kept back vital details to prevent attacks from being launched immediately.
Recently, Kris Lamb, head of IBM’s X-force security outfit, criticised security researchers for publishing vulnerabilities, saying the practice was tantamount to aiding cyber criminals.
To prevent Gifar attacks from proliferating, Sun is expected to tighten security in the Java runtime environment and websites could improve their filters to spot Gifars. But this would protect only against the one attack vector, says NGSS.
Ultimately browser security will have to be improved, say security experts.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago