Sloppy reporting of image file hazards

Reporting carries responsibility. When you tell the public about a risk, you need to tell them what the risk is, not just scare them. An article from Check Point Software Technologies, titled “ImageGate,” shows how bad even tech sites can get at clickbait reporting. According to Wikipedia, Check Point is a business with thousands of employees, not a hole-in-the-wall IT company that hires ghostwriters to write filler.

The article claims:

the attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.

First question: What kind of image files are at risk? Surely these “researchers” can divulge that much, but they don’t. The only clue is that near the end, the article says, “Don’t open any image file with unusual extension (such as SVG, JS or HTA).” This makes me think these people know nothing. SVG is an image file extension; the other two aren’t. “JS” is JavaScript, as anyone with a first-grade education in computer security knows. “HTA” is more obscure; it’s an HTML executable format. It’s certainly a bad idea to execute a JS or HTA file of unknown origin on your computer, along with many other executable file formats, but Check Point’s claim that they’re image files betrays gross ignorance. JavaScript or HTA files can display an image, but that doesn’t make them “image formats” any more than an executable application is an image format.

The article claims that the image file downloads itself, rather than some other piece of malware. This seems like a clumsy way to deliver malware. It requires two exploits in the same file, one to force the download and another to do nasty stuff once it’s opened on the victim’s computer. Have the attackers found two weaknesses in some file format?

The linked video gives little information. It shows a dialog offering to download an HTA file (not an image file) and implies that the ransomware executes just by the act of downloading it. Windows is bad about security, but I don’t think it’s that bad. The video doesn’t show the user being “forced” to download the file, as the article claims; it shows the user accepting a prompt to download a file with an HTA extension.

The article offers badly couched advice: “If you have clicked on an image and your browser starts downloading a file, do not open it. Any social media website should display the picture without downloading any file.” Download links on buttons and images are common and no more dangerous than download links on text. The video shows the user clicking on what looks like a thumbnail, and getting a download rather than just bringing up a window or image certainly is unusual and suspicious. You should be wary of any download prompt that you weren’t expecting. If it’s for an HTA file, you should cancel out. But it’s implausible that the thumbnail and the HTA were the same file.

To sound impressive, Check Point claims: “A detailed and technical disclosure of the attack vector will be published by Check Point only after the remediation of the vulnerability in the major affected websites, in order to prevent attackers from taking advantage of this information.” This is absurd. Telling people what kind of image files are affected wouldn’t give attackers any useful information, and it would help people to avoid the risk.

But we can make some guesses about what they’re talking about. SVG was the one actual image format they referred to. The article mentions Facebook and the Locky ransomware. It sounds a lot as if they’re referring to the well-known cross-site scripting risk in SVG files, which ransomware distributors have been exploiting through Facebook Messenger. An SVG file could contain JavaScript to download an HTA file, or even itself.

The “Imagegate” article is dated November 24. I wrote about the SVG risk on November 21, and I was just summarizing information that was already on the Web. Yet the article claims, “Check Point researchers strongly believe the new ImageGate technique reveals how this campaign was made possible, a question which has been unanswered until now.”

Or perhaps it’s something else. An article on The Register supposes that the exploit actually uses an HTA file “disguised” as a JPEG. Whether this is the old double-extension trick or some new weakness isn’t explained. I don’t think any browsers will accept an HTA embedded in a Web page as if it were an image. In the video, the HTA download prompt isn’t disguised at all. Update: I’m seeing articles on several websites claiming “Imagegate” is a JPEG defect, but Check Point’s article doesn’t mention JPEG at all. I don’t know whether they’re going by some additional information or just copying each other.

Perhaps Check Point really has found some new weakness in an unspecified file format. If so, the article is still sloppy and irresponsible. It’s sloppy in that Check Point doesn’t know JavaScript or HTA from an image file. It’s sloppy in claiming that clicking on an image “forces” a download and then contradicting that in its video. It’s irresponsible in not giving any useful information about the risk.

The article does suggest an important point, though it fails to make it: Downloaded SVG files are even more dangerous than ones on websites, since the computer will trust their embedded JavaScript to a higher degree.

Comments are closed.