Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

Dump Microsoft

[Anonymous Coward]

You know it makes sense.
Mind you Google isn't that much better

Dump google
you know it makes sense.

Re:Dump Microsoft

[Anonymous Coward]

The S in Internet Explorer stands for security.

Re:

[cellocgw]

The S in Internet Explorer stands for security.

Shared to [$Social_Network_Site]

I wouldn't touch Google Chrome on Linux

[Viol8]

Chrome requires its sandbox process to run as root. Well not on my systems it isn't. Won't run? Tough , I'll just use one of the many alternatives then.

Apparently google thinks is code is 100% exploit and bug free and don't see an issue with having a user application requiring superuser priviledges. Utter morons. And anyone who says to me "but its not the browser, its the sandbox" obviously know the square root of fuck all about security so don't even bother me with your ignorant opinions.

Re:

[angel'o'sphere]

Chrome requires its sandbox process to run as root.
Chrome runs under the user id it was started from. No idea what you want to claim.

Oops, indeed :-(

[ArsenneLupin]

Linux setuid sandbox allows local privilege escalation [chromium.org]

Re:

[Ol Olsoc]

So the chrome_sandbox binary being owned by root and having the setuid bit set is an "extraordinary claim" is it snowflake? No, its a fact. I don't need to cite anything. 5 seconds with google will tell you everything you need to know and if you're too bone idle to bother then thats your problem, not mine.

You're not supposed to drink espresso like it was cappuccino. But if you want to make claims and then not support them at the same time as you call anyone who disagrees with you morons, well, I think you might be better suited for Youtube comments. Edumacate peeps.

Re:

[Viol8]

Thanks for proving my point in my original post about ignorant fools with no clue about security.

Newsflash: claims only need supporting if there's no way for 3rd parties to independently verify them. But here, especially for dumb special needs kids like you who can't use a search engine:

http://lmgtfy.com/?q=chrome_sa... [lmgtfy.com]

Re:

[Ol Olsoc]

Thanks for proving my point in my original post about ignorant fools with no clue about security.

Oh do go on. I feed on your ranting.

Newsflash: claims only need supporting if there's no way for 3rd parties to independently verify them. But here, especially for dumb special needs kids like you who can't use a search engine:

http://lmgtfy.com/?q=chrome_sa... [lmgtfy.com]

Okay, it has been proven conclusively. You, our good Viol8, could have chosen to be anything you want, and for some reason you chose to be an asshole.

Because in the end, it doesn't matter whether you are right or wrong.

But please, do rant on. It's most entertaining, and might even do you some good to release all that pent up anger. Thanks for the Lulz.

Re:

[KingMotley]

To avoid the security issue of chrome on linux, I suggest you switch to internet explorer. I haven't heard of any exploits of internet explorer on linux yet.

Re:I wouldn't touch Google Chrome on Linux

[ArsenneLupin]

Chrome runs under the user id it was started from.

... and then proceeds by invoking a set-uid binary (that it conveniently set up at installation time) to become root:

# ls -ld /usr/lib/chromium/chrome-sandbox
-rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

Re:

[Viol8]

Quite. The fact that there are so many idiots on here who not only didn't know this but didn't know how to find out is quite staggering. Ubuntu has a lot to answer for IMO.

Re:

[ArsenneLupin]

$ ls -ld /bin/ping
-rwsr-xr-x 1 root root 60288 Jun 15 2016 /bin/ping

Not on my Debian:

> ls -ld /bin/ping
-rwxr-xr-x 1 root root 44104 Nov 8 2014 /bin/ping

You're talking about using software that has access to your keystrokes, mouse movements and clicks,

Only its own (although I wouldn't trust most distros' X setups to appropriately protect applications from each other in that regard, but that's another peeve...).

the plaintext of your TLS sessions.

Again, only their own. As long as I use Firefox for the serious stuff, and chromium only for browsing Javascript infested thrashcan sites my TLS sessions (from Firefox) would still be safe. But with this bug... not so sure.

It also controls the layout and placement of the content that it's presented. The majority of PC-using Americans do pretty much everything in their web browsers.

This is not about the computers o

Re:

[Anonymous Coward]

> Not on my Debian:

I thought you were using Ubuntu a minute ago. What happened?

To you and the equally clueless AC:

> Rechklessly (sic) allowing third parties (shady sites packed full of Javascripts) to leverage that hole to get admin on victim's computer.

and:

> WHEN someone else takes advantage of a Chrome zero day, they'll get root permission instead of limited to user permissions.

$ chromium-browser &> /dev/null &
[1] 7723
$ google-chrome &> /dev/null &
[2] 8007
$ pgrep sandbox | w

Re:

[ArsenneLupin]

Ubuntu has a lot to answer for IMO.

Actually, this is a Debian system where I saw this... And one Anonymous Coward [slashdot.org] claims that on his Ubuntu 16.10 system, Chromium doesn't have the bug. So let's be careful who deserves the blame here... my hunch is that it's google itself, rather than the distro.

Re:

[chipschap]

Son of the gun. Verified on my system (under /opt/google/chrome).

Didn't know that. Kind of glad I switched to Vivaldi for most things.

Glad you pointed this out.

Re:

[NetCow]

Yeah, about that... You might want to take a look at /opt/vivaldi/vivaldi-sandbox, then.

Re:

[chipschap]

Yes, just discovered that too (about Vivaldi).... not pleasant at all.

What's left? Firefox? Save me from that... maybe Pale Moon is worth another look.

Re:

[donaldm]

Chrome runs under the user id it was started from.

... and then proceeds by invoking a set-uid binary (that it conveniently set up at installation time) to become root:

# ls -ld /usr/lib/chromium/chrome-sandbox -rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

On my machine (Fedora 25):
> ls -ld /usr/lib/chromium/chrome-sandbox
ls: cannot access '/usr/lib/chromium/chrome-sandbox': No such file or directory

I do run Chrome, Firefox, Konqueror and QupZilla. I can run any browser I want except IE unless I am stupid enough to run a virtual machine with Microsoft Windows although to be fair Windows 10 does not run IE but it only pays attention to the "hosts" file when it suits itself to do so.

Re:

[ArsenneLupin]

On my machine (Fedora 25):
> ls -ld /usr/lib/chromium/chrome-sandbox
ls: cannot access '/usr/lib/chromium/chrome-sandbox': No such file or directory

Careful there, the offending binary might just be called something else (chrome instead of chromium, in /usr/local/lib instead of /usr/lib), etc.

Just try locate sandbox, or rpm -q -l chromium | xargs ls -ld | egrep '^-..s' to be sure...

Re:

[angel'o'sphere]

I guess that is more a problem of the installation process than any 'necessity' ... if you know that, why don't you remove the s bit?

And how can it be that the user and groop is root anyway? I guess you installed Chrome as root, so the mistake is just yours.

Re:

[ArsenneLupin]

I guess that is more a problem of the installation process than any 'necessity' ... if you know that, why don't you remove the s bit?

Have you stopped beating your wife? :-)

Well, as stated in my other message, if I remove the s bit Chromium will refuse to start.

And how can it be that the user and groop is root anyway?

Most software belongs to root... (have you actually ever looked at any software on your own system, or are you just trolling?)

I guess you installed Chrome as root

In this case, I trusted my distribution, and installed the .deb from repository.

so the mistake is just yours.

If I had installed it manually in my own directory, chances are, it would refuse to run (... as it would not be setuid root)

Re:

[angel'o'sphere]

The software belongs to the one who is installing it.
And that is in 99& of the cases: not 'root'.

There is a reason why you have /usr/bin ...

And we where talking about Chrome, not Chromium, or do I miss anything?
Anyway: I'm on a mac and don't "install" software. I drag&drop it from the installation medium to my Applications folder: hence it has no S bit, is running with my rights and not with anyone else rights.

Sorry, if that applications needs s-bit as root to run: delete it.

Re:

[ArsenneLupin]

And we where talking about Chrome, not Chromium, or do I miss anything?

In my case it's Chromium (hence nicely packaged as a .deb), but the original poster observed the same thing about Chrome. That it also happens with Chromium on some distributions is worrisome: Chromium is supposed to be repackaged, so that the distributor can remove such shenanigans. Ubuntu managed to do that (in 16.10). Debian, unfortunately, didn't.

Sorry, if that applications needs s-bit as root to run: delete it.

Which is what ended up doing...

And I would have done it much earlier had I known (suspected) this. And in order give other people, who might still be as unsus

Re:

[angel'o'sphere]

Perhaps time to put every application into its own VM, sigh.

Re:

[tender-matser]

If I had installed it manually in my own directory, chances are, it would refuse to run (... as it would not be setuid root)

It will probably work if started with the "--no-sandbox" option (that's what I use with a "bleeding edge" chrome I've downloaded and installed as a regular user)

I usually run browsers as a separate user that is allowed onto the X11 server via xauth (this is more out of ritual cleanliness than security -- browsers leave around much dotfile spam and they also love to start a lot of dubio

Re:

[MightyMartian]

What the fuck are you talking about? Nothing in Chrome requires a root user.

Re:

[Viol8]

With morons like you people using linux now its no surprising exploits are increasing. Check the chrome_sandbox binary owner and setuid bit (know what that is? No? Look it up) then buy yourself a ticket on the cluetrain you clueless gimp.

Re:

[Ol Olsoc]

With morons like you people using linux now its no surprising exploits are increasing. Check the chrome_sandbox binary owner and setuid bit (know what that is? No? Look it up) then buy yourself a ticket on the cluetrain you clueless gimp.

Y so SRS?

Re:I wouldn't touch Google Chrome on Linux

[ArsenneLupin]

Nothing in Chrome requires a root user.

Unfortunately, it does, I didn't believe it myself at first...:
# ls -l /usr/lib/chromium/chrome-sandbox
-rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

Removing that s bit causes chromium to refuse to run:
> chromium
[28193:28193:0225/213608.315538:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/chromium/chrome-sandbox is owned by root and has mode 4755.
#0 0x564a04ba083e <unknown>
#1 0x564a04bb4f7b <unknown>
#2 0x564a05a0f4cf <unknown>
#3 0x564a043f3def <unknown>
#4 0x564a043f325e <unknown>
#5 0x564a043f384e <unknown>
#6 0x564a0408872c <unknown>
#7 0x564a0409036d <unknown>
#8 0x564a04087dcc <unknown>
#9 0x564a0480764b <unknown>
#10 0x564a04805fa0 <unknown>
#11 0x564a033de1bc ChromeMain
#12 0x7ff5074f5b45 __libc_start_main
#13 0x564a033de069

zsh: abort chromium

Re:

[Anonymous Coward]

> Removing that s bit causes chromium to refuse to run:

ENOREPRO

ls -ld /usr/lib/chromium-browser/chromium-browser
-rwxr-xr-x 1 root root 46008184 Dec 17 09:05 /usr/lib/chromium-browser/chromium-browser
$ ls -ld /usr/lib/chromium-browser/chrome-sandbox
-r-xr-xr-x 1 root root 14296 Dec 17 09:05 /usr/lib/chromium-browser/chrome-sandbox
$ lsb_release -irc
Distributor ID: Ubuntu
Release: 16.10
Codename: yakkety
$ apt search chromium-browser
Sorting... Done
Full Text Search... Done
chromium-browser/yakkety-security,yakke

Re:

[lgw]

It silently self-escalates when it runs. Did you think Chrome wasn't a root kit? It's a browser built by an advertising company, why would you expect it to behave differently than weatherbug?

Re: Dump Microsoft

[dougdonovan]

dont dump microsoft, they're job security.

Stop reporting bugs?

[guardiangod]

there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports.

I don't see the author saying this anywhere in Caballero's article. Maybe the reporter at the news site (and the submitter) should have read the article first.

For what it is worth, Caballero is a respected browser security researcher. I don't think he would do something like this.

Re:

[guardiangod]

So I re-read the article, and here is the part he journalist was referring to-

In my opinion, some people at Microsoft do not care and they just do what they want, so phrases like âoeresponsible disclosureâ will ring in my mind when the âoeresponsible patchingâ ring in their minds. To be clear: I will keep sharing my findings for as long as MSRC keeps acting like an unreachable rock star.

Okay maybe the journalist meant that the researcher won't wait 60/120 days disclosure, which is still a far cry from not reporting bugs at all.

Test result

[140Mandak262Jamuna]

Browser tested: Chrome.

1. Regular alert: Alert came up, second time. check marked it. Disappeared for ever.

2, 3, 4: htmlFile alert, all at once, in a zombie script: No effect, no popup, nothing.

Browser being tested: IE 11

no carrier

Re:

[mrbester]

IE for Mac knew what an ActiveXObject was. It then proceeded to crash spectacularly if you tried to instantiate one. The awesome was strong in the wastes of space that comprised the team that created that abortion.

Fairly sure this can be done other ways...

[Mitsoid]

Fairly sure this can be done other ways... Allakhazam (which has game info for many popular MMO's) auto-loads advertisements every few minutes, regardless of the users browser state.

My wife frequently walks away for 20+ minutes, only to have her computer randomly start playing an advertisement.. I suppose it isn't a "pop up", but clearly "auto refreshing for advertisement fraud" is possible and in use... And Allakhazam's method works on Firefox and Chrome from our experiences

Re:

[Mitsoid]

Fairly sure this can be done other ways... Allakhazam (which has game info for many popular MMO's) auto-loads advertisements every few minutes, regardless of the users browser state.

My wife frequently walks away for 20+ minutes, only to have her computer randomly start playing an advertisement.. I suppose it isn't a "pop up", but clearly "auto refreshing for advertisement fraud" is possible and in use... And Allakhazam's method works on Firefox and Chrome from our experiences

To clarify, Browser state being "on and at their website", but otherwise irrespective (minimized, not in focus, not interacted with for many minutes, etc.)

Re:

[lgw]

It's normal to have javascript running in the background when you're at a site. How else do you think Google knows how long you spent looking at any page on the Web or where your mouse pointer was millisecond-by-millisecond. This attack is special because it keeps happening after you navigate away from the site.

Just IE

[Locke2005]

Doesn't Chrome have the same problem? I've had to go into Task Manager and kill Chrome after getting the "You have a virus! Pay us money!" popup. (Have they fixed that in Chrome already?) My ex was stupid enough to actually call the phone number they put up on the screen, after which some Indian guy asked her for money.

Re:

[networkzombie]

I saw this last week so I doubt they have fixed it. It took over the screen and the only thing I could do was kill chrome via ctrl+alt+del. No defense. I had to tell the user to never go to that site (or their history), or use a browser with noscript, like SeaMonkey or Firefox. SeaMonkey with noscript and adblock has saved me a few headaches for users with chrome bloat issues due to too many tabs.

Re:

[slashrio]

The correct description would be "A person from India".

Re:

[tepples]

My ex was stupid enough to actually call the phone number they put up on the screen, after which some Indian guy asked her for money.

And there are people on YouTube who mess with those scammers in India and screencap it: Lewis's Tech, Thunder Tech, Each&Everything, etc.

Will it die after killing the browser?

[140Mandak262Jamuna]

I hope the zombie script will die if the browser is killed? Or have clever people at Microsoft have implemented auto checkpoint and auto restore to make it even more persistent?

this is why you disable javascript by default.

[Anonymous Coward]

Yes... other languages "could" have the same problem, and it's not the language per se that's the issue, but javscript is in the position where it's loaded from random malicious or semimalicious web sites and executed in your browser.

If you let that happen by default, after an endless fucking series of javascript based exploits and vulnerabilities and nagware and data-harvesting over the years.. at this point I no longer feel sorry for you. You're letting random strangers who do not mean you well control t

This is not really javascript's fault

[SuperKendall]

If this issue were a problem in Javascript it (or some variant) would work in a lot more browsers than just IE11.

But it's not. The bug here boils down to Microsoft adding an ActiveX call into Javascript, then that call activating some native HTML ActiveX component and using it in a super bad way.

That's not Javascript's fault, that's on Microsoft for punching such a large hole in the sandbox.

Re:

[jbmartin6]

I've felt this way since the early days of getting caught in an endless 'on exit' loop. Oh wait, that's not the early days, that's TODAY, even in Chrome. Why is this even possible in the first place?

What should convince a user to enable JS?

[tepples]

Running with javascript default-enabled is like letting any stranger in the world use your house for any purpose they want.

If most people change the default to no JS, what steps should a developer of a web application take to convince prospective users that the web application is legitimate? Or should all applications instead be native and therefore specific to a single operating system?

Re:

[michael_wojcik]

If most people change the default to no JS, what steps should a developer of a web application take to convince prospective users that the web application is legitimate?

A good start is designing them so they degrade gracefully and remain usable when scripting is disabled.

Re:

[tepples]

How would, say, a web-based image editing application "degrade gracefully and remain usable when scripting is disabled"? The only way I can see to make it remotely usable without script is to make the image that the user is editing into a server-side image map, with a full page reload for each click, and requiring the user to click multiple times along a curve to draw it instead of being able to drag. How is that "gracefully"?

Likewise for a web-based front end to a chat room. The user would have to keep cli

Re:

[michael_wojcik]

How would, say, a web-based image editing application "degrade gracefully and remain usable when scripting is disabled"?

Gosh, thinking is hard, isn't it?

For a start, it could display the image with text indicating why other functionality requires scripting. It could give the user the option to download the image (yes, present in the browser already; doesn't mean you can't improve the UX with an explicit link, which of course only requires HTML), edit it offline in the tool of their choice, and upload it again (which only requires an HTML form).

In any case, the existence of a small subset of "web applications" that require sc

Re:

[Billly Gates]

Unfortunately, IE is far from dead and is mandated by many corporate users and is used by Grandma.

MS needs to secure it as long as it's part of 8/10. Yes IE 11 is part of 10 in addition to edge if you look for it. Corporations use a GPO to put IE 11 over edge at work

I see the problem

[ssufficool]

"new ActiveXObject('Microsoft.Ancient.Bad.Idea')" I think I've seen this exploit before. SMH. It's time to kill ActiveX in the browser already.

Turn off Java. Don't open docx docs

[Joe Branya]

If any outsider can install and run a program on your computer it is no longer your computer. Javascript is such a program. So is the permission to open a Microsoft docx document. In a corporate environment there is usually a guard dog to protect you. In a home Windows, Apple or Unix-based system you are on your own. If you leave the keys to your car in the ignition don't be surprised if someone takes it for a ride.

Make your own decision.

Turn off Java, JS, Flash, and SL. Don't open docx

[tepples]

Java and Javascript are not the same thing.

I think Joe Branya would recommend turning them both off, as well as Flash and Silverlight.

Go use Edge/Windows 10

[Billly Gates]

That way we can track you with an advertiser ID in a feeble way to sell apps on the appstore and actual think this will get people to buy Windows Phone?

Why fix it? This is great scareware to get PHB IT managers to upgrade and leave perfectly working 7 behind.

Would they even fix it?

[SeaFox]

Internet Explorer 11 requires Windows 7 SP1 for higher. Microsoft would be quick to point out that that have offered free upgrades to Windows 10, featuring their new, more secure Edge browser, for over a year now.

Re:

[jaa101]

Is there a Microsoft-approved way of removing IE 11 from Win 10?

noscript

[0111 1110]

This is why everyone should be running Noscript. Javascript is a major security risk and should only be run on sites you completely trust 100%. Even then it is the most likely vector for viruses and malware.

the researcher has decided to stop reporting

[tomxor]

the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports

Yeah, I can empathise... MS have some really shitty strategies for dealing with bug reports, although I don't post security bugs my experience is:

1. 1. Copy paste replies
2. 2. usually marked as "wont fix" cos "only affects some users", (even though it affects everyone)
3. 3. Contrive ways to not reproduce it and close it because "does not work on some specific build on a specific combination of hardware and OS"

I know that closed source has less resources but a) don't be fucking closed source then and b) don't use u