VCU - Technology Services

At this week's Black Hat security conference, researchers will discuss an attack which they've coined the GIFAR attack. The attack involves combining a JAR (Java Archive) file with another file, such as a GIF image file (GIF + JAR = GIFAR). The user's browser would consider the file a valid image file and display it properly, but the Java Virtual Machine (JVM) on the user's computer would also treat it as a JAR file, executing the 2nd part of the file as a Java applet. And for clarity, the JAR files can be combined with other file types, such as JPEG images or Word documents.

Why is this a problem? It's a problem because many websites allow users to upload content and most of them are not doing a sufficient job of sanitizing the content. Those websites which do perform input validation (sanitization) typically do little more than confirm that the uploaded file has an acceptable file extension. And though some media coverage implies specific widely used websites such as Facebook, MySpace and Google may be vulnerable, this has the potential to impact any website which does insufficient user content sanitization.

As a users, you don't know which websites you interact with do sufficient sanitization. And if you're tricked into running a malicious Java applet, it will run with the same context of the website it was loaded from. That means that the attacker could do things like hijack the user's session (gain unauthorized access to the website, masquerading as the target user).

And if a system has really bad security controls, it may even be possible to target a user on a trusted system behind the same firewall as the website in order to perform attacks against the server hosting the website.

One of the researchers, Nathan McFeters, mentioned that this isn't the first such attack vector, and that even if Sun patches the JVM, new attack vectors will arise. The lesson? Don't trust content from users. And properly sanitize it.