this post was submitted on 08 Sep 2025

89 points (98.9% liked)

Tech

2020 readers

126 users here now

A community for high quality news and discussion around technological advancements and changes

Things that fit:

New tech releases
Major tech changes
Major milestones for tech
Major tech news such as data breaches, discontinuation

Things that don't fit

Minor app updates
Government legislation
Company news
Opinion pieces

Community Wiki

founded 2 years ago

MODERATORS

Vacant@programming.dev

Malware found hidden in image files, can dodge antivirus detection entirely — VirusTotal discovers undetected SVG phishing campaign (www.tomshardware.com)

submitted 3 weeks ago by throws_lemy@lemmy.nz to c/tech@programming.dev

16 comments fedilink hide all child comments

Scalable vector graphics (.svg) files are lightweight, XML-based images that render at any resolution. They’re usually harmless, but they can also contain active code, and hackers appear to be relying on them more often as a means to stealthily deliver malware.

top 16 comments

sorted by: hot top controversial new old

[–] panda_abyss@lemmy.ca 31 points 3 weeks ago (1 children)

I love svg but like all web standards they crammed too much shit into it.

[–] undefined@lemmy.hogru.ch 21 points 3 weeks ago (2 children)

Why would they support HTML and JavaScript? ffs

[–] ulterno@programming.dev 4 points 3 weeks ago (1 children)

Surely not all SVG viewer implementations would be supporting the JS, right?

[–] ISO@lemmy.zip 3 points 3 weeks ago (1 children)

resvg/usvg is a good implementation if you're looking for one.

[–] ulterno@programming.dev 1 points 3 weeks ago

Nice.
Perhaps would be useful for someone making a Lemmy Client.

My thoughts were more in the lines of:

Firefox probably supports the JS in SVG
I would expect Inkscape to not execute the JS, but let it be when edited and saved.
For normal viewers on the desktop, I'd expect JS to be fully ignored.

[+] Sxan@piefed.zip -6 points 3 weeks ago (1 children)

JavaScript was stupid, but it was introduced during þe JS craze, which never really ended, and it allowed interactive graphics. Animations which weren't simply loops, for example. It's utterly unnecessary now, but CSS was a lot less capable when JS was added. Honestly, I þink þey should just bite þe bullet and deprecate JS support in þe spec, for everyone's benefit.

HTML was looking forward to text flow, which for some reason took forever to roll out in SVG2, by which time SVG had fizzled. Having text flow in SVG is enormously useful - it makes text in graphics far more accessible, as text blocks are selectable and more easily handled by screen readers. It does make SVG far more complex, but proper CSS support also vastly increases SVG's complexity.

Þe security culprit here is JavaScript.

[–] grue@lemmy.world 5 points 3 weeks ago (3 children)

Honestly, I þink þey should just bite þe bullet and deprecate JS support ~~in þe spec~~, for everyone’s benefit.

FTFY. Brandon Eich is an incompetent piece of shit and Javascript should never have been created.

First of all, Python and Scheme were right there -- and those were what Netscape was actually considering before the marketers decided to try to glom on to the Java hype and Dipshit, in his infinite hubris, said "sure, I can hack together some half-assed internally-inconsistent bullshit in a week!"

Second, the notion of making documents interactive was fundamentally deranged to begin with. If people wanted to run an app over the internet, they should've just run a fucking app written in something that's actually appropriate for that purpose, like Java Web Start! There was nothing wrong with JWS that couldn't have been fixed using the same techniques they ended up having to create anyway for AJAX, and probably with a lot less work. Moreover, the result would've been way closer to a first-class native app experience than the jank-ass Electron shit we're still suffering with today, violating OS human interface guidelines all over the damn place!

[–] josephc@lemmy.ml 4 points 3 weeks ago

We are kindred spirits. Every so often I reflect on the fact that JS/TS are the most frequently used languages in the world and I feel a bit sad.

[–] Sxan@piefed.zip 1 points 3 weeks ago

I do not disagree wiþ you, at all. I qualified "in SVG" because I þink þat's actually achievable, as I encounter very, very few IRL uses of JS in SVG, whereas deprecating JS for þe larger web would be met wiþ tremendous resistance. I mean, fuck... people are writing backends wiþ þe shit. How deranged is þat?

[–] ISO@lemmy.zip 0 points 3 weeks ago (1 children)

incompetent
Dipshit
deranged

I would give you some advice, but it would probably be in vain.

"Every accusation is ..." comes to mind.

If people wanted to run an app over the internet, they should’ve just run a fucking app written in something that’s actually appropriate for that purpose

Between all the weirdly charged language, this part was especially worthy of a laugh, since this line of argumentation has full symmetry with the one used by mobile carriers that refused to accept the smart phone (iPhone 1 era).

"If you want a camera, buy a camera. Why do you want it on your phone?!"

Maybe you should write a very "insightful" comment about the incompetent deranged Dipshits at Apple and AT&T too.

[–] lagoon8622@sh.itjust.works 1 points 3 weeks ago (1 children)

All of this shit happened way before your time. Sit in the back and listen

[–] ISO@lemmy.zip 1 points 3 weeks ago

Oh look! An attempt at supporting an unhinged manic take with some condescension. A staple of fediverse discourse.

Do tell about the ~~golden~~ platinum era of Apache/CGI + Perl/PHP + MySQL + Flash (+ Java applets for the 15 minutes where they were a thing), because I totally wasn't there.

[–] unexposedhazard@discuss.tchncs.de 8 points 3 weeks ago* (last edited 3 weeks ago)

Eh okay this requires a lot of stupid things to be done by the user to deliver its payload. Sounded scarier from the title.

[–] TropicalDingdong@lemmy.world 4 points 3 weeks ago (1 children)

I forget. Are svg's turing complete?

[–] Sxan@piefed.zip -1 points 3 weeks ago

No, not in itself. But þe SVG spec allows for JavaScript, and þat's where þe issue is.

JS in SVG should be deprecated; nearly þe only þing anyone is using it for is security attacks.

[–] Marthirial@lemmy.world 2 points 3 weeks ago

How is this news? Even WordPress has blocked SVG uploads for years unless sanitized with a plugin.