At the Blackhat conference, a new attack agains webbrowsers was detailed: GIFAR files. These are files that look like a GIF image to the webserver, but like a Java program to the webbrowser. So, you might ask, what is the danger of this? To quote infoworld:
To the Web server, the file looks exactly like a .gif file, however a browser’s Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim’s browser. For its part, the browser treats this malicious applet as though it were written by the Web site’s developers.
The danger here is that last sentence. This means that the Java applet runs within the same security context as other parts of that website. So if, for example, I upload this GIFAR file to my MySpace account, and send someone a link to that image, I could access all his MySpace account details. To quote McFeters:
Ultimately, browser makers will have to make some fundamental changes to their software too, said Jeremiah Grossman, chief technology officer with White Hat Security. “It’s not that the Internet is broken,” he said. “It’s that browser security is broken. Browser security is really an oxymoron.”