Skip to main content

SVG Images Getting Wider Distribution As Malicious File Type

By February 20, 2017March 1st, 2023Cybersecurity

JavaScript is hands down the tool of choice of hackers who are interested in inserting malicious code onto a user’s device.

Most commonly, scripts are embedded in compressed (zipped) files, and when unpacked, install on the user’s machine without him or her even being aware of what’s going on. The problem has reached such epic proportions that Google has recently made changes to their Gmail service that makes it impossible to attach JavaScript files at all.

Unfortunately, that doesn’t appear to have done anything to stem the tide, although it has created a very small amount of extra work for the hackers of the world.

They’ll still be able to use .js files after all, but with the added step of injecting them into an SVG.

SVG is a file format used by vector graphics. A little known fact about the file format is that it can be loaded with JavaScript code to change the behavior of the graphic in some way, to add an animation effect, for example.

In other words, Google’s latest move, while admirable, is a bit like closing a single hatch on a boat that has sprung a thousand leaks.

The water (or, in this case, the malicious code) will simply go around the hatch that has been closed off and find another way in, and that is, in fact, what is happening.

The key problem here is twofold.

First, hackers essentially invented the internet. That is, in large part, why they’re always several steps ahead of those who try to defend against them.

Second, so many key elements of the internet are built on technologies and using code that is decades out of date, therefore easily exploited.

Hardly a day goes by that we don’t hear about some new critical vulnerability, and that’s due in large part to the fact that so much of the code we rely on is extremely old, legacy code that’s simply not up to today’s security standards.

Sadly, there’s no good way to fix that.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.