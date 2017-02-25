Please create an account to participate in the Slashdot moderation system

 


Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks (bleepingcomputer.com) 19

Posted by EditorDavid from the persistent-popups dept.
An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

  • Dump Microsoft (Score:1)

    by Anonymous Coward

    You know it makes sense.
    Mind you Google isn't that much better

    Dump google
    you know it makes sense.

    • Re: (Score:1)

      by Anonymous Coward
      The S in Internet Explorer stands for security.

    • Chrome requires its sandbox process to run as root. Well not on my systems it isn't. Won't run? Tough , I'll just use one of the many alternatives then.

      Apparently google thinks is code is 100% exploit and bug free and don't see an issue with having a user application requiring superuser priviledges. Utter morons. And anyone who says to me "but its not the browser, its the sandbox" obviously know the square root of fuck all about security so don't even bother me with your ignorant opinions.

      • Chrome requires its sandbox process to run as root.
        Chrome runs under the user id it was started from. No idea what you want to claim.

    • dont dump microsoft, they're job security.

  • there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports.

    I don't see the author saying this anywhere in Caballero's article. Maybe the reporter at the news site (and the submitter) should have read the article first.

    For what it is worth, Caballero is a respected browser security researcher. I don't think he would do something like this.

    • So I re-read the article, and here is the part he journalist was referring to-

      In my opinion, some people at Microsoft do not care and they just do what they want, so phrases like âoeresponsible disclosureâ will ring in my mind when the âoeresponsible patchingâ ring in their minds. To be clear: I will keep sharing my findings for as long as MSRC keeps acting like an unreachable rock star.

      Okay maybe the journalist meant that the researcher won't wait 60/120 days disclosure, which is still a far cry from not reporting bugs at all.

  • Browser tested: Chrome.

    1. Regular alert: Alert came up, second time. check marked it. Disappeared for ever.

    2, 3, 4: htmlFile alert, all at once, in a zombie script: No effect, no popup, nothing.

    Browser being tested: IE 11

    no carrier

  • Fairly sure this can be done other ways... Allakhazam (which has game info for many popular MMO's) auto-loads advertisements every few minutes, regardless of the users browser state.

    My wife frequently walks away for 20+ minutes, only to have her computer randomly start playing an advertisement.. I suppose it isn't a "pop up", but clearly "auto refreshing for advertisement fraud" is possible and in use... And Allakhazam's method works on Firefox and Chrome from our experiences

    • Re: (Score:2)

      by Mitsoid ( 837831 )

      Fairly sure this can be done other ways... Allakhazam (which has game info for many popular MMO's) auto-loads advertisements every few minutes, regardless of the users browser state.

      My wife frequently walks away for 20+ minutes, only to have her computer randomly start playing an advertisement.. I suppose it isn't a "pop up", but clearly "auto refreshing for advertisement fraud" is possible and in use... And Allakhazam's method works on Firefox and Chrome from our experiences

      To clarify, Browser state being "on and at their website", but otherwise irrespective (minimized, not in focus, not interacted with for many minutes, etc.)

  • Doesn't Chrome have the same problem? I've had to go into Task Manager and kill Chrome after getting the "You have a virus! Pay us money!" popup. (Have they fixed that in Chrome already?) My ex was stupid enough to actually call the phone number they put up on the screen, after which some Indian guy asked her for money.
    • I saw this last week so I doubt they have fixed it. It took over the screen and the only thing I could do was kill chrome via ctrl+alt+del. No defense. I had to tell the user to never go to that site (or their history), or use a browser with noscript, like SeaMonkey or Firefox. SeaMonkey with noscript and adblock has saved me a few headaches for users with chrome bloat issues due to too many tabs.
  • I hope the zombie script will die if the browser is killed? Or have clever people at Microsoft have implemented auto checkpoint and auto restore to make it even more persistent?

  • "new ActiveXObject('Microsoft.Ancient.Bad.Idea')" I think I've seen this exploit before. SMH. It's time to kill ActiveX in the browser already.

