Nate McFeters provides even more details about the GIFAR attack that is to be presented at the Black Hat conference. He provides some more details about the implications; the most important one being that this will affect most, if not all, sites that allow user-uploaded content. Two other important points to note:

  • This is NOT a browser or OS level issue.  This attack will work on all operating systems and browsers that support JVM for any application that will accept our content in a way that leaves the applet intact.
  • Shrinking, converting, resizing, etc. will NOT necessarily fix this issue as is being suggested on Slashdot.  We have been able to attack sites that do resizing, shrinking, or converting as well.

I really like his suggested fix: just host user-uploaded content on a completely different domain. That should stop not only this, but also other comparable attacks that might show up in the future. In fact, I’m willing to bet that Youtube, MySpace and the likes are already scrambling to implement this. The next weeks should tell us a lot about code management practices at some of the larger communities; these kinds of changes can be a real nightmare to implement properly.

UPDATE: More info about this at

So, to summarize: any file format that is based on ZIP, you allow your users to upload on your server, can be used in an attack. Any format that has its headers at the top of the file and it ignores junk at the bottom can be used in an attack. No matter which way you look at it, SUN has to do something about the issue.