Malicious image files are becoming an increasingly worse problem on the Web. In August 2009, malformed images were involved in 15% of all ScanSafe Web malware blocks. 88% contained malicious iframes and 7% of the total included shell code used to change permissions, elevate privileges and gain backdoor access to the uploaded websites. And a great number of sites offer users the ability to upload images with few controls in place to ensure those images can't be used for harm.

A couple of fallacious assumptions likely contribute heavily to the increases in malformed image files. The most concerning is the (mis)belief that images cannot harbor executable content, much less malicious executable content. The second is the (mis)belief that while past vulnerabilities have enabled images to contain executable code, once patched there is no longer a reason to be concerned about potentially malicious image files.

While it's true there have been several vulnerabilities in image handling that have led to exploit, the majority of malformed images are not exploiting any vulnerabilities but are rather just taking advantage of 'features' in the operating system, browser, and the Web server. As a result, MIME types can be forged, PHP can be nestled in text comment fields of legitimate GIF or JPG images, and PHP interpreters can override even concerted blacklisting efforts.

It appears that more and more attackers are taking advantage of these weaknesses; some are even replacing legitimate images on compromised sites with modified copies containing backdoor shell code in the event their original intrusion method is detected and closed.

If you own a website that's been compromised at any point in the past, it's proabably a good idea to replace your site's image files with known good copies. And if you own a website that accepts user images, you might want to check out these tips from ScanIT for "Secure file upload in PHP web applications".