Quite a long time ago I contacted Microsoft regarding what I thought was a XSS vulnerability in IE.
Microsoft disagreed, preferring to call it a ‘feature’.
This feature allows javascript embedded into GIF files to be executed under certain circumstances. The javascript may point to an alternate domain (as is the case with XSS vulnerabilities).
And this is what I saw yesterday – a compromised site containing a modified GIF file which exploits this XSS vulnerability.
The GIF file contains an embedded iframe pointing to a malicious site. (Thankfully, the site is currently presenting a ‘file not found’ error message.)
Here’s the GIF:
This is one step more on from today’s common web site compromises where some javascript gets added to the main page.
Clicking “view source” doesn’t reveal any malicious code – and this makes a quick analysis of the threat more difficult.
Following this discovery we’ve contacted Microsoft again – hopefully they’ll reconsider their position on this issue.
IE feature exploited ITW