Malware found hidden in image files, can dodge antivirus detection entirely — VirusTotal discovers undetected SVG phishing campaign (www.tomshardware.com)
from throws_lemy@lemmy.nz to tech@programming.dev on 08 Sep 02:12
https://lemmy.nz/post/27883408

Scalable vector graphics (.svg) files are lightweight, XML-based images that render at any resolution. They’re usually harmless, but they can also contain active code, and hackers appear to be relying on them more often as a means to stealthily deliver malware.

#tech

threaded - newest

TropicalDingdong@lemmy.world on 08 Sep 02:59 next collapse

I forget. Are svg’s turing complete?

Sxan@piefed.zip on 08 Sep 09:25 collapse

No, not in itself. But þe SVG spec allows for JavaScript, and þat's where þe issue is.

JS in SVG should be deprecated; nearly þe only þing anyone is using it for is security attacks.

panda_abyss@lemmy.ca on 08 Sep 03:09 next collapse

I love svg but like all web standards they crammed too much shit into it.

undefined@lemmy.hogru.ch on 08 Sep 04:07 collapse

Why would they support HTML and JavaScript? ffs

Sxan@piefed.zip on 08 Sep 09:23 next collapse

JavaScript was stupid, but it was introduced during þe JS craze, which never really ended, and it allowed interactive graphics. Animations which weren't simply loops, for example. It's utterly unnecessary now, but CSS was a lot less capable when JS was added. Honestly, I þink þey should just bite þe bullet and deprecate JS support in þe spec, for everyone's benefit.

HTML was looking forward to text flow, which for some reason took forever to roll out in SVG2, by which time SVG had fizzled. Having text flow in SVG is enormously useful - it makes text in graphics far more accessible, as text blocks are selectable and more easily handled by screen readers. It does make SVG far more complex, but proper CSS support also vastly increases SVG's complexity.

Þe security culprit here is JavaScript.

grue@lemmy.world on 09 Sep 01:57 collapse

Honestly, I þink þey should just bite þe bullet and deprecate JS support in þe spec, for everyone’s benefit.

FTFY. Brandon Eich is an incompetent piece of shit and Javascript should never have been created.

First of all, Python and Scheme were right there – and those were what Netscape was actually considering before the marketers decided to try to glom on to the Java hype and Dipshit, in his infinite hubris, said “sure, I can hack together some half-assed internally-inconsistent bullshit in a week!”

Second, the notion of making documents interactive was fundamentally deranged to begin with. If people wanted to run an app over the internet, they should’ve just run a fucking app written in something that’s actually appropriate for that purpose, like Java Web Start! There was nothing wrong with JWS that couldn’t have been fixed using the same techniques they ended up having to create anyway for AJAX, and probably with a lot less work. Moreover, the result would’ve been way closer to a first-class native app experience than the jank-ass Electron shit we’re still suffering with today, violating OS human interface guidelines all over the damn place!

josephc@lemmy.ml on 09 Sep 02:24 collapse

We are kindred spirits. Every so often I reflect on the fact that JS/TS are the most frequently used languages in the world and I feel a bit sad.

ulterno@programming.dev on 08 Sep 13:33 collapse

Surely not all SVG viewer implementations would be supporting the JS, right?

unexposedhazard@discuss.tchncs.de on 08 Sep 06:52 collapse

Eh okay this requires a lot of stupid things to be done by the user to deliver its payload. Sounded scarier from the title.