Malware found hidden in image files, can dodge antivirus detection entirely — VirusTotal discovers undetected SVG phishing campaign

Malware found hidden in image files, can dodge antivirus detection entirely — VirusTotal discovers undetected SVG phishing campaign (www.tomshardware.com)
from throws_lemy@lemmy.nz to tech@programming.dev on 08 Sep 2025 02:12
https://lemmy.nz/post/27883408

Scalable vector graphics (.svg) files are lightweight, XML-based images that render at any resolution. They’re usually harmless, but they can also contain active code, and hackers appear to be relying on them more often as a means to stealthily deliver malware.

#tech

threaded - newest

TropicalDingdong@lemmy.world on 08 Sep 2025 02:59 next collapse

I forget. Are svg’s turing complete?

Sxan@piefed.zip on 08 Sep 2025 09:25 collapse

No, not in itself. But þe SVG spec allows for JavaScript, and þat's where þe issue is.

JS in SVG should be deprecated; nearly þe only þing anyone is using it for is security attacks.

panda_abyss@lemmy.ca on 08 Sep 2025 03:09 next collapse

I love svg but like all web standards they crammed too much shit into it.

undefined@lemmy.hogru.ch on 08 Sep 2025 04:07 collapse

Why would they support HTML and JavaScript? ffs

Sxan@piefed.zip on 08 Sep 2025 09:23 next collapse

JavaScript was stupid, but it was introduced during þe JS craze, which never really ended, and it allowed interactive graphics. Animations which weren't simply loops, for example. It's utterly unnecessary now, but CSS was a lot less capable when JS was added. Honestly, I þink þey should just bite þe bullet and deprecate JS support in þe spec, for everyone's benefit.

HTML was looking forward to text flow, which for some reason took forever to roll out in SVG2, by which time SVG had fizzled. Having text flow in SVG is enormously useful - it makes text in graphics far more accessible, as text blocks are selectable and more easily handled by screen readers. It does make SVG far more complex, but proper CSS support also vastly increases SVG's complexity.

Þe security culprit here is JavaScript.

grue@lemmy.world on 09 Sep 01:57 collapse

Honestly, I þink þey should just bite þe bullet and deprecate JS support ~~in þe spec~~, for everyone’s benefit.

FTFY. Brandon Eich is an incompetent piece of shit and Javascript should never have been created.

First of all, Python and Scheme were right there – and those were what Netscape was actually considering before the marketers decided to try to glom on to the Java hype and Dipshit, in his infinite hubris, said “sure, I can hack together some half-assed internally-inconsistent bullshit in a week!”

Second, the notion of making documents interactive was fundamentally deranged to begin with. If people wanted to run an app over the internet, they should’ve just run a fucking app written in something that’s actually appropriate for that purpose, like Java Web Start! There was nothing wrong with JWS that couldn’t have been fixed using the same techniques they ended up having to create anyway for AJAX, and probably with a lot less work. Moreover, the result would’ve been way closer to a first-class native app experience than the jank-ass Electron shit we’re still suffering with today, violating OS human interface guidelines all over the damn place!

josephc@lemmy.ml on 09 Sep 02:24 next collapse

We are kindred spirits. Every so often I reflect on the fact that JS/TS are the most frequently used languages in the world and I feel a bit sad.

ISO@lemmy.zip on 09 Sep 10:22 next collapse

incompetent
Dipshit
deranged

I would give you some advice, but it would probably be in vain.

“Every accusation is …” comes to mind.

If people wanted to run an app over the internet, they should’ve just run a fucking app written in something that’s actually appropriate for that purpose

Between all the weirdly charged language, this part was especially worthy of a laugh, since this line of argumentation has full symmetry with the one used by mobile carriers that refused to accept the smart phone (iPhone 1 era).

“If you want a camera, buy a camera. Why do you want it on your phone?!”

Maybe you should write a very “insightful” comment about the incompetent deranged Dipshits at Apple and AT&T too.

lagoon8622@sh.itjust.works on 09 Sep 13:35 collapse

All of this shit happened way before your time. Sit in the back and listen

ISO@lemmy.zip on 09 Sep 17:49 collapse

Oh look! An attempt at supporting an unhinged manic take with some condescension. A staple of fediverse discourse.

Do tell about the ~~golden~~ platinum era of Apache/CGI + Perl/PHP + MySQL + Flash (+ Java applets for the 15 minutes where they were a thing), because I totally wasn’t there.

Sxan@piefed.zip on 09 Sep 14:01 collapse

I do not disagree wiþ you, at all. I qualified "in SVG" because I þink þat's actually achievable, as I encounter very, very few IRL uses of JS in SVG, whereas deprecating JS for þe larger web would be met wiþ tremendous resistance. I mean, fuck... people are writing backends wiþ þe shit. How deranged is þat?

ulterno@programming.dev on 08 Sep 2025 13:33 collapse

Surely not all SVG viewer implementations would be supporting the JS, right?

ISO@lemmy.zip on 09 Sep 10:04 collapse

resvg/usvg is a good implementation if you’re looking for one.

ulterno@programming.dev on 09 Sep 22:53 collapse

Nice.
Perhaps would be useful for someone making a Lemmy Client.

My thoughts were more in the lines of:

Firefox probably supports the JS in SVG
I would expect Inkscape to not execute the JS, but let it be when edited and saved.
For normal viewers on the desktop, I’d expect JS to be fully ignored.

unexposedhazard@discuss.tchncs.de on 08 Sep 2025 06:52 next collapse

Eh okay this requires a lot of stupid things to be done by the user to deliver its payload. Sounded scarier from the title.

Marthirial@lemmy.world on 09 Sep 12:09 collapse

How is this news? Even WordPress has blocked SVG uploads for years unless sanitized with a plugin.