SVG Images Getting Wider Distribution As Malicious File Type
Unfortunately, that doesn’t appear to have done anything to stem the tide, although it has created a very small amount of extra work for the hackers of the world.
They’ll still be able to use .js files after all, but with the added step of injecting them into an SVG.
In other words, Google’s latest move, while admirable, is a bit like closing a single hatch on a boat that has sprung a thousand leaks.
The water (or, in this case, the malicious code) will simply go around the hatch that has been closed off and find another way in, and that is, in fact, what is happening.
The key problem here is twofold.
First, hackers essentially invented the internet. That is, in large part, why they’re always several steps ahead of those who try to defend against them.
Second, so many key elements of the internet are built on technologies and using code that is decades out of date, therefore easily exploited.
Hardly a day goes by that we don’t hear about some new critical vulnerability, and that’s due in large part to the fact that so much of the code we rely on is extremely old, legacy code that’s simply not up to today’s security standards.
Sadly, there’s no good way to fix that.