SVG: The New Scourge

Scalable Vector Graphics (SVG) logo - and orange background and SVG in white with half a white with black stroke 10-point star emanating from the top.
SVG (Scalable Vector Graphics) Logo

SVG (scalable vector graphics) is a format of image that uses vectors, or points, which produce lines and various geometric shapes that overlap, combine, and are filtered to produce a final image that is rendered directly by the viewer’s computer. It allows the image to be zoomed in to any level and not lose resolution the way raster images (like JPG/JPEG, PNG, and GIFs) do.

I once supported and advocated the use of SVG back in the day when it was the only way to render a vector image. However, it has since been host to numerous vulnerabilities and attacks over the years – to the point where I can no longer recommend it. CSS has included many of the filters and some of the shapes that can be done with vector graphics. The <canvas> tag also does about 90% or more of what SVG can produce without all the vulnerabilities.

Bleeping Computer is now reporting on how malware is increasingly incorporating SVG files in their attacks since it is relatively easy to incorporate scripts that can slip past many malware and virus detectors and encourage users to download more nefarious files (like executable/EXE files that run or install unwanted software):

SVG — It can be slow and buggy in some web browsers, is surpassed and copied in features by other formats and web browser features, allows the embedding of potentially dangerous scripts, and has had numerous security vulnerabilities over the years and never recommended as an allowable upload format. The majority of examples look like something out of the early 1990s Internet and interactive examples could easily be replicated with pure HTML/CSS, a <canvas> tag, or a font. It may be time to retire this aging (yes, I realize there is a slow-moving version 2 draft) and rarely used (barely over 3% as of Q1 2017) format and let more secure and readily available features take it’s place.

Leave a Comment