[NEWS] Using data: URLs for Malware Injection (Opera)
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 12 Jan 2005 11:56:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Using data: URLs for Malware Injection (Opera)
As described by Darren Bounds in an
<http://www.securiteam.com/securitynews/5LP0C0AEKS.html> earlier posting,
RFC2397 allows to embed data into an HTML formatted document. While Darren
only used this for malicious images, Michael made some further research
which shows that this can also be used to embed an executable file into
the document. As shown by Darren, such embedded data is not detected by
current AV gateways. This could be abused by websites (and probably HTML
email too) for distributing malware.
* Opera version 7.5.4
* Internet Explorer version 6
* Firefox version 1.0
* Mozilla version 1.5.4
The attack works by using an URL scheme like this:
< a href="data:application/x-msdos-program;base64,[base64 data]">Click
Michael's tests with various windows based webbrowsers had the following
* Internet Explorer 6 - Clicking on the link does nothing
* Mozilla version 1.5.4 - Will try to open the "what should I do with
that" file dialog and then hangs. needs to get killed
* Firefox version 1.0 - Allows saving of the data to harddisk (on Linux
it will also display much rubbish in the save dialog)
* Opera version 7.5.4 - Tells that it will open the file with notepad
(which sounds ok), but will then EXECUTE IT INSTEAD (without further
The information has been provided by <mailto:email@example.com> Michael
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.