In association with heise online

11 February 2009, 10:38

Internet Explorer executes code in pictures

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A feature in Internet Explorer, which checked the type of file before presenting it to the user, has been found to allow execution of JavaScript embedded in an image. The MIME sniffing functionality was originally meant to compensate for web servers sending out the wrong content type information when they responded to a request for an image. However it now appears that the feature can be easily confused, and that confusion can be exploited through a crafted image file with embedded HTML and JavaScript code that will be rendered and executed by the browser.

heise Security presents a feature, Risky MIME Sniffing in Internet Explorer, which examines the problem, demonstrates it with examples and explains how users and web site developers can mitigate the risk.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit