[Osiris]

New Attack: Combine Files With Jar Scripts

A new attack, dubbed Gifar by their creators named after the two file types that they mixed to create the attack (Gif and Jar), was mentioned in a Black Hat Sneak Preview article over at ZDnet. While not everything was revealed in that preview article it mentioned that the developers were able to combine two file types like the previously mentioned gif and jar files so that the first, container file type, would be shown normally in the browser but that the Java applet would be executed at the same time.
Many file and image hosts filter dangerous file types. If you tried to upload a Jar file to most of them you would get an error message stating that the file type was not supported. Many however fail to analyze the file itself and simply reject files based on their extension which opens the door for this attack.
That’s a pretty dangerous exploit. Imagine someone who uses this to upload a new avatar to popular websites like Facebook or Myspace (two examples, I have not checked if the two use advanced upload filters). He could do all sorts of things with the Java Applet once users open up his profile page.
The only valid defense against this type of attack is to disable Java on the computer for the moment. Sun is already working on a fix although the researchers say that it is not Sun’s fault that this vulnerability exists.