Microsoft Fixes Feature. |
I read that in the latest MSIE7 patch round, they fixed the UXSS image issue[1] I talked about in early 2007. The attack was pretty easy to perform. Here is how it works, in case you didn't know about it.
First, you create an image. If you have Photoshop which is the quickest way, you can set a watermark inside the image as meta data. Inside the copyright field you can enter whatever you like. HTML, Javascripts, Iframes that fetch Trojans. To Firefox and Opera users, the image will render normally without any notice. But in Internet Explorer, the image is not checked for it's meta-data and the code inside it's source will be rendered as HTML because HTML is present in it. This has been used plenty of times by malware writers. AV-software vendors had a very hard time to detect it. According to Viruslist[2] Microsoft finally listened to the AV vendors. Microsoft always dubbed this as a feature. I still have a hard time understanding why this is so, I guess they would coin it a content-negotiation issue. MSIE 6 and lower are still vulnerable.
If you don't have Photoshop, you can also create an Image with a text editor.So we can copy paste one of the following lines which will create a full header for that file type. After the header we just type basic Javascript which we want to execute. Then save the file with image extension, open it in MSIE and be amazed.
GIF:
%137%71%73%70%13%10%26%10%00%00%00%13%00%00%00%01%00%00%00%01<script>alert('NWO');</script>
JPG:
%137%74%80%71%13%10%26%10%00%00%00%13%00%00%00%01%00%00%00%01<script>alert('NWO');</script>
PNG:
%137%80%78%71%13%10%26%10%00%00%00%13%00%00%00%01%00%00%00%01<script>alert('NWO');</script>
GIF decimal header:
G = 71 I = 73 F = 70
JPG decimal header:
J = 74 P = 80 G = 71
PNG decimal header:
P = 80 N = 78 G = 71
Note: these headers aren't really needed, but it's interesting to put them in it or know them. In case of creating an image[1] that still renders correctly in Firefox and Opera, it's better to use Photoshop.
[1] UXSS example image: http://0x000000.com/images/aye.png
[2] http://www.viruslist.com/en/weblog?weblogid=208187540