Most commonly, scripts are embedded in compressed (zipped) files, and when unpacked, install on the user’s machine without him or her even being aware of what’s going on. The problem has reached such epic proportions that Google has recently made changes to their Gmail service that makes it impossible to attach JavaScript files at all.
Unfortunately, that doesn’t appear to have done anything to stem the tide, although it has created a very small amount of extra work for the hackers of the world.
They’ll still be able to use .js files after all, but with the added step of injecting them into an SVG.
SVG is a file format used by vector graphics. A little known fact about the file format is that it can be loaded with JavaScript code to change the behavior of the graphic in some way, to add an animation effect, for example.
In other words, Google’s latest move, while admirable, is a bit like closing a single hatch on a boat that has sprung a thousand leaks.
The water (or, in this case, the malicious code) will simply go around the hatch that has been closed off and find another way in, and that is, in fact, what is happening.
The key problem here is twofold.
First, hackers essentially invented the internet. That is, in large part, why they’re always several steps ahead of those who try to defend against them.
Second, so many key elements of the internet are built on technologies and using code that is decades out of date, therefore easily exploited.
Hardly a day goes by that we don’t hear about some new critical vulnerability, and that’s due in large part to the fact that so much of the code we rely on is extremely old, legacy code that’s simply not up to today’s security standards.
Sadly, there’s no good way to fix that.