IE feature exploited ITW

Quite a long time ago I contacted Microsoft regarding what I thought was a XSS vulnerability in IE.

Microsoft disagreed, preferring to call it a ‘feature’.

This feature allows javascript embedded into GIF files to be executed under certain circumstances. The javascript may point to an alternate domain (as is the case with XSS vulnerabilities).

And this is what I saw yesterday – a compromised site containing a modified GIF file which exploits this XSS vulnerability.

The GIF file contains an embedded iframe pointing to a malicious site. (Thankfully, the site is currently presenting a ‘file not found’ error message.)

Here’s the GIF:

This is one step more on from today’s common web site compromises where some javascript gets added to the main page.

Clicking “view source” doesn’t reveal any malicious code – and this makes a quick analysis of the threat more difficult.

Following this discovery we’ve contacted Microsoft again – hopefully they’ll reconsider their position on this issue.

IE feature exploited ITW

Your email address will not be published. Required fields are marked *



APT trends report Q3 2022

This is our latest summary of advanced persistent threat (APT) activities, focusing on events that we observed during Q3 2022.

APT10: Tracking down LODEINFO 2022, part I

The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor.

Subscribe to our weekly e-mails

The hottest research right in your inbox