El Reg reports
Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks.
In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal.
A key part of the stunt is achieved by inserting active content into the attributes of a jpg image, such that the file name read image.jpg.aspx. "I'm going to try to compromise the web server, then go for back end resources, and ultimately compromise a domain controller," Murray said, adding the hack is not that difficult.
video
This is by no means a new attack vector.
Why are we still dealing with this over ten years later?
(Score: 4, Interesting) by Nerdfest on Tuesday April 21 2015, @04:27PM
In a related question, why are people still going to theRSA security conference when RSA demonstrably is not an organization that believes in security. I could understand people attending if they gave a conference related to "Capitalism for short term profit" or something similar.