Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Bug Microsoft Security

Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks (bleepingcomputer.com) 92

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

This discussion has been archived. No new comments can be posted.

Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks

Comments Filter:
  • by Anonymous Coward

    You know it makes sense.
    Mind you Google isn't that much better

    Dump google
    you know it makes sense.

    • by Anonymous Coward on Saturday February 25, 2017 @02:48PM (#53929575)
      The S in Internet Explorer stands for security.
    • Chrome requires its sandbox process to run as root. Well not on my systems it isn't. Won't run? Tough , I'll just use one of the many alternatives then.

      Apparently google thinks is code is 100% exploit and bug free and don't see an issue with having a user application requiring superuser priviledges. Utter morons. And anyone who says to me "but its not the browser, its the sandbox" obviously know the square root of fuck all about security so don't even bother me with your ignorant opinions.

      • Re: (Score:2, Informative)

        Chrome requires its sandbox process to run as root.
        Chrome runs under the user id it was started from. No idea what you want to claim.

        • by ArsenneLupin ( 766289 ) on Saturday February 25, 2017 @04:33PM (#53929963)

          Chrome runs under the user id it was started from.

          ... and then proceeds by invoking a set-uid binary (that it conveniently set up at installation time) to become root:

          # ls -ld /usr/lib/chromium/chrome-sandbox
          -rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

          • by Viol8 ( 599362 )

            Quite. The fact that there are so many idiots on here who not only didn't know this but didn't know how to find out is quite staggering. Ubuntu has a lot to answer for IMO.

            • Ubuntu has a lot to answer for IMO.

              Actually, this is a Debian system where I saw this... And one Anonymous Coward [slashdot.org] claims that on his Ubuntu 16.10 system, Chromium doesn't have the bug. So let's be careful who deserves the blame here... my hunch is that it's google itself, rather than the distro.

          • Son of the gun. Verified on my system (under /opt/google/chrome).

            Didn't know that. Kind of glad I switched to Vivaldi for most things.

            Glad you pointed this out.

            • by NetCow ( 117556 )
              Yeah, about that... You might want to take a look at /opt/vivaldi/vivaldi-sandbox, then.
              • Yes, just discovered that too (about Vivaldi).... not pleasant at all.

                What's left? Firefox? Save me from that... maybe Pale Moon is worth another look.

          • by donaldm ( 919619 )

            Chrome runs under the user id it was started from.

            ... and then proceeds by invoking a set-uid binary (that it conveniently set up at installation time) to become root:

            # ls -ld /usr/lib/chromium/chrome-sandbox -rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

            On my machine (Fedora 25):
            > ls -ld /usr/lib/chromium/chrome-sandbox
            ls: cannot access '/usr/lib/chromium/chrome-sandbox': No such file or directory

            I do run Chrome, Firefox, Konqueror and QupZilla. I can run any browser I want except IE unless I am stupid enough to run a virtual machine with Microsoft Windows although to be fair Windows 10 does not run IE but it only pays attention to the "hosts" file when it suits itself to do so.

            • On my machine (Fedora 25):
              > ls -ld /usr/lib/chromium/chrome-sandbox
              ls: cannot access '/usr/lib/chromium/chrome-sandbox': No such file or directory

              Careful there, the offending binary might just be called something else (chrome instead of chromium, in /usr/local/lib instead of /usr/lib), etc.

              Just try locate sandbox, or rpm -q -l chromium | xargs ls -ld | egrep '^-..s' to be sure...

          • I guess that is more a problem of the installation process than any 'necessity' ... if you know that, why don't you remove the s bit?

            And how can it be that the user and groop is root anyway? I guess you installed Chrome as root, so the mistake is just yours.

            • I guess that is more a problem of the installation process than any 'necessity' ... if you know that, why don't you remove the s bit?

              Have you stopped beating your wife? :-)

              Well, as stated in my other message, if I remove the s bit Chromium will refuse to start.

              And how can it be that the user and groop is root anyway?

              Most software belongs to root... (have you actually ever looked at any software on your own system, or are you just trolling?)

              I guess you installed Chrome as root

              In this case, I trusted my distribution, and installed the .deb from repository.

              so the mistake is just yours.

              If I had installed it manually in my own directory, chances are, it would refuse to run (... as it would not be setuid root)

              • The software belongs to the one who is installing it.
                And that is in 99& of the cases: not 'root'.

                There is a reason why you have /usr/bin ...

                And we where talking about Chrome, not Chromium, or do I miss anything?
                Anyway: I'm on a mac and don't "install" software. I drag&drop it from the installation medium to my Applications folder: hence it has no S bit, is running with my rights and not with anyone else rights.

                Sorry, if that applications needs s-bit as root to run: delete it.

                • And we where talking about Chrome, not Chromium, or do I miss anything?

                  In my case it's Chromium (hence nicely packaged as a .deb), but the original poster observed the same thing about Chrome. That it also happens with Chromium on some distributions is worrisome: Chromium is supposed to be repackaged, so that the distributor can remove such shenanigans. Ubuntu managed to do that (in 16.10). Debian, unfortunately, didn't.

                  Sorry, if that applications needs s-bit as root to run: delete it.

                  Which is what ended up doing...

                  And I would have done it much earlier had I known (suspected) this. And in order give other people, who might still be as unsus

              • If I had installed it manually in my own directory, chances are, it would refuse to run (... as it would not be setuid root)

                It will probably work if started with the "--no-sandbox" option (that's what I use with a "bleeding edge" chrome I've downloaded and installed as a regular user)

                I usually run browsers as a separate user that is allowed onto the X11 server via xauth (this is more out of ritual cleanliness than security -- browsers leave around much dotfile spam and they also love to start a lot of dubio

      • What the fuck are you talking about? Nothing in Chrome requires a root user.

        • by Viol8 ( 599362 )

          With morons like you people using linux now its no surprising exploits are increasing. Check the chrome_sandbox binary owner and setuid bit (know what that is? No? Look it up) then buy yourself a ticket on the cluetrain you clueless gimp.

          • With morons like you people using linux now its no surprising exploits are increasing. Check the chrome_sandbox binary owner and setuid bit (know what that is? No? Look it up) then buy yourself a ticket on the cluetrain you clueless gimp.

            Y so SRS?

        • by ArsenneLupin ( 766289 ) on Saturday February 25, 2017 @04:38PM (#53929999)

          Nothing in Chrome requires a root user.

          Unfortunately, it does, I didn't believe it myself at first...:
          # ls -l /usr/lib/chromium/chrome-sandbox
          -rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

          Removing that s bit causes chromium to refuse to run:
          > chromium
          [28193:28193:0225/213608.315538:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/chromium/chrome-sandbox is owned by root and has mode 4755.
          #0 0x564a04ba083e <unknown>
          #1 0x564a04bb4f7b <unknown>
          #2 0x564a05a0f4cf <unknown>
          #3 0x564a043f3def <unknown>
          #4 0x564a043f325e <unknown>
          #5 0x564a043f384e <unknown>
          #6 0x564a0408872c <unknown>
          #7 0x564a0409036d <unknown>
          #8 0x564a04087dcc <unknown>
          #9 0x564a0480764b <unknown>
          #10 0x564a04805fa0 <unknown>
          #11 0x564a033de1bc ChromeMain
          #12 0x7ff5074f5b45 __libc_start_main
          #13 0x564a033de069

          zsh: abort chromium

          • by Anonymous Coward

            > Removing that s bit causes chromium to refuse to run:

            ENOREPRO

            ls -ld /usr/lib/chromium-browser/chromium-browser
            -rwxr-xr-x 1 root root 46008184 Dec 17 09:05 /usr/lib/chromium-browser/chromium-browser
            $ ls -ld /usr/lib/chromium-browser/chrome-sandbox
            -r-xr-xr-x 1 root root 14296 Dec 17 09:05 /usr/lib/chromium-browser/chrome-sandbox
            $ lsb_release -irc
            Distributor ID: Ubuntu
            Release: 16.10
            Codename: yakkety
            $ apt search chromium-browser
            Sorting... Done
            Full Text Search... Done
            chromium-browser/yakkety-security,yakke

        • by lgw ( 121541 )

          It silently self-escalates when it runs. Did you think Chrome wasn't a root kit? It's a browser built by an advertising company, why would you expect it to behave differently than weatherbug?

    • dont dump microsoft, they're job security.
  • there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports.

    I don't see the author saying this anywhere in Caballero's article. Maybe the reporter at the news site (and the submitter) should have read the article first.

    For what it is worth, Caballero is a respected browser security researcher. I don't think he would do something like this.

    • So I re-read the article, and here is the part he journalist was referring to-

      In my opinion, some people at Microsoft do not care and they just do what they want, so phrases like âoeresponsible disclosureâ will ring in my mind when the âoeresponsible patchingâ ring in their minds. To be clear: I will keep sharing my findings for as long as MSRC keeps acting like an unreachable rock star.

      Okay maybe the journalist meant that the researcher won't wait 60/120 days disclosure, which is still a far cry from not reporting bugs at all.

  • Browser tested: Chrome.

    1. Regular alert: Alert came up, second time. check marked it. Disappeared for ever.

    2, 3, 4: htmlFile alert, all at once, in a zombie script: No effect, no popup, nothing.

    Browser being tested: IE 11

    no carrier

  • by Mitsoid ( 837831 ) on Saturday February 25, 2017 @02:48PM (#53929577)

    Fairly sure this can be done other ways... Allakhazam (which has game info for many popular MMO's) auto-loads advertisements every few minutes, regardless of the users browser state.

    My wife frequently walks away for 20+ minutes, only to have her computer randomly start playing an advertisement.. I suppose it isn't a "pop up", but clearly "auto refreshing for advertisement fraud" is possible and in use... And Allakhazam's method works on Firefox and Chrome from our experiences

    • by Mitsoid ( 837831 )

      Fairly sure this can be done other ways... Allakhazam (which has game info for many popular MMO's) auto-loads advertisements every few minutes, regardless of the users browser state.

      My wife frequently walks away for 20+ minutes, only to have her computer randomly start playing an advertisement.. I suppose it isn't a "pop up", but clearly "auto refreshing for advertisement fraud" is possible and in use... And Allakhazam's method works on Firefox and Chrome from our experiences

      To clarify, Browser state being "on and at their website", but otherwise irrespective (minimized, not in focus, not interacted with for many minutes, etc.)

      • by lgw ( 121541 )

        It's normal to have javascript running in the background when you're at a site. How else do you think Google knows how long you spent looking at any page on the Web or where your mouse pointer was millisecond-by-millisecond. This attack is special because it keeps happening after you navigate away from the site.

  • Doesn't Chrome have the same problem? I've had to go into Task Manager and kill Chrome after getting the "You have a virus! Pay us money!" popup. (Have they fixed that in Chrome already?) My ex was stupid enough to actually call the phone number they put up on the screen, after which some Indian guy asked her for money.
    • I saw this last week so I doubt they have fixed it. It took over the screen and the only thing I could do was kill chrome via ctrl+alt+del. No defense. I had to tell the user to never go to that site (or their history), or use a browser with noscript, like SeaMonkey or Firefox. SeaMonkey with noscript and adblock has saved me a few headaches for users with chrome bloat issues due to too many tabs.
    • by tepples ( 727027 )

      My ex was stupid enough to actually call the phone number they put up on the screen, after which some Indian guy asked her for money.

      And there are people on YouTube who mess with those scammers in India and screencap it: Lewis's Tech, Thunder Tech, Each&Everything, etc.

  • I hope the zombie script will die if the browser is killed? Or have clever people at Microsoft have implemented auto checkpoint and auto restore to make it even more persistent?
  • by Anonymous Coward

    Yes... other languages "could" have the same problem, and it's not the language per se that's the issue, but javscript is in the position where it's loaded from random malicious or semimalicious web sites and executed in your browser.

    If you let that happen by default, after an endless fucking series of javascript based exploits and vulnerabilities and nagware and data-harvesting over the years.. at this point I no longer feel sorry for you. You're letting random strangers who do not mean you well control t

    • by SuperKendall ( 25149 ) on Saturday February 25, 2017 @03:31PM (#53929723)

      If this issue were a problem in Javascript it (or some variant) would work in a lot more browsers than just IE11.

      But it's not. The bug here boils down to Microsoft adding an ActiveX call into Javascript, then that call activating some native HTML ActiveX component and using it in a super bad way.

      That's not Javascript's fault, that's on Microsoft for punching such a large hole in the sandbox.

    • I've felt this way since the early days of getting caught in an endless 'on exit' loop. Oh wait, that's not the early days, that's TODAY, even in Chrome. Why is this even possible in the first place?
    • Running with javascript default-enabled is like letting any stranger in the world use your house for any purpose they want.

      If most people change the default to no JS, what steps should a developer of a web application take to convince prospective users that the web application is legitimate? Or should all applications instead be native and therefore specific to a single operating system?

      • If most people change the default to no JS, what steps should a developer of a web application take to convince prospective users that the web application is legitimate?

        A good start is designing them so they degrade gracefully and remain usable when scripting is disabled.

        • by tepples ( 727027 )

          How would, say, a web-based image editing application "degrade gracefully and remain usable when scripting is disabled"? The only way I can see to make it remotely usable without script is to make the image that the user is editing into a server-side image map, with a full page reload for each click, and requiring the user to click multiple times along a curve to draw it instead of being able to drag. How is that "gracefully"?

          Likewise for a web-based front end to a chat room. The user would have to keep cli

          • How would, say, a web-based image editing application "degrade gracefully and remain usable when scripting is disabled"?

            Gosh, thinking is hard, isn't it?

            For a start, it could display the image with text indicating why other functionality requires scripting. It could give the user the option to download the image (yes, present in the browser already; doesn't mean you can't improve the UX with an explicit link, which of course only requires HTML), edit it offline in the tool of their choice, and upload it again (which only requires an HTML form).

            In any case, the existence of a small subset of "web applications" that require sc

  • I see the problem (Score:3, Informative)

    by ssufficool ( 1836898 ) on Saturday February 25, 2017 @03:18PM (#53929677)

    "new ActiveXObject('Microsoft.Ancient.Bad.Idea')" I think I've seen this exploit before. SMH. It's time to kill ActiveX in the browser already.

  • If any outsider can install and run a program on your computer it is no longer your computer. Javascript is such a program. So is the permission to open a Microsoft docx document. In a corporate environment there is usually a guard dog to protect you. In a home Windows, Apple or Unix-based system you are on your own. If you leave the keys to your car in the ignition don't be surprised if someone takes it for a ride.

    Make your own decision.

  • That way we can track you with an advertiser ID in a feeble way to sell apps on the appstore and actual think this will get people to buy Windows Phone?

    Why fix it? This is great scareware to get PHB IT managers to upgrade and leave perfectly working 7 behind.

  • Internet Explorer 11 requires Windows 7 SP1 for higher. Microsoft would be quick to point out that that have offered free upgrades to Windows 10, featuring their new, more secure Edge browser, for over a year now.

  • This is why everyone should be running Noscript. Javascript is a major security risk and should only be run on sites you completely trust 100%. Even then it is the most likely vector for viruses and malware.

  • the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports

    Yeah, I can empathise... MS have some really shitty strategies for dealing with bug reports, although I don't post security bugs my experience is:

    1. 1. Copy paste replies
    2. 2. usually marked as "wont fix" cos "only affects some users", (even though it affects everyone)
    3. 3. Contrive ways to not reproduce it and close it because "does not work on some specific build on a specific combination of hardware and OS"

    I know that closed source has less resources but a) don't be fucking closed source then and b) don't use u

Today is a good day for information-gathering. Read someone else's mail file.

Working...