Various desktop and gateway antivirus products, as well as some IDS and IPS detection software, do not inspect Base64-encoded data within a HTML document. This could result in a file reaching an end user without being inspected for a malicious payload.
All products that could be affected by this issue do not check for encoded data that is embedded within a HTML document. The delivery of images or other data by this method, which is defined in RFC2397, is a valid method of content delivery supported by many web browsers. Encoding the payload into the document may allow the page to be checked for malformed or malicious content and considered benign. This may allow an
attacker to execute the malicious content within a browser or other application, such as a mail client, that utilizes affected rendering libraries.
The RFC allows for the encoded inclusion of small data files within a HTML document as if they had been externally referenced. This allows a document to be transferred with a single request and the embedded data to be rendered by the browser or transferred to a supporting application as if it was referenced externally. Due to these items being encoded as Base64 values within the document, it may be very difficult for a border or gateway product to detect any malicious payload or prevent the delivery of banned content.
Depending on the implementation of RFC2397, it may be possible for a malicious entity to
embed script code, arbitrary parameters for embedded objects, HTML or other data objects with the data:type URL. This could possibly result in rendered content bypassing virus scanners or other workstation content controls before the payload is executed. It could also result in cross-domain script execution depending on its implementation.