August 11, 2008
Harried information security staff are used to taking some solace in the harmless passivity of data. They have come to realize that any piece of "code," no matter how small, has the potential to cause harm and must therefore be carefully checked for vulnerabilities. On the other hand, data has always been above suspicion, because it doesn't "do" anything—it just sits there waiting for code to act upon it. Researchers have often daydreamed about how easy their lives would be if we could just get rid of code altogether and live in a world of pure data.
That dream world seems a lot further away this week, after the invention of the GIFAR. A GIFAR is a combination of a GIF graphic and a Java JAR file. As explained in an Infoworld article,
To the Web server, the file looks exactly like a .gif file, however a browser's Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim's browser. For its part, the browser treats this malicious applet as though it were written by the Web site's developers.
Let's hope this is not the beginning of a trend—we certainly don't look forward to a time when every text, JPEG, or XML file could compromise a machine.