Slashdot Mirror
Google Goes On Offensive vs. JavaScript Attacks
alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months.
Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript.
'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."
User should just have an option to execute or not JS in the email text. Problem solved.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
...could this site have *any* more ads? Good lord, 15 seconds and there have already been THREE inline popup ads and a redirect ad, in addition to all the crap surrounding the article.
"If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."
JavaScript has long outlived its usefulness. If the trend is to write large-scale applications targeting the browser, we should at least do it with a real programming language, not a half-baked scripting language that was stuck into Netscape Navigator as a hack 15 years ago.
Google, Opera, Apple and Mozilla need to get languages like Python, Ruby, Scheme and Erlang available in the browser. You know, real languages with the features necessary to write larger and more secure applications. We should stop jerking around with JavaScript, a rather pathetic scripting language that has been pushed far past what it was ever intended to handle.
The language originally proposed for Netscape Navigator, before "needs to become popular" and "remind people of Java" ruled it out.
Like, wow... just wow.
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?
File under 'M' for 'Manic ranting'
Don't most email clients that display html format messages use one of the popular rendering engines, like Webkit? Presumably the html portion of the message is just passed to the rendering engine and the javascript magic happens.
Putting moderation advice in your
Probably the same people who thought it would be a good idea to allow javascript to run in a browser.
Heyoooooo
TFA should have read: "Google has found a vulnerability in its gmail code that could be used to execute arbitrary JS code in the user's browser".
Instead, they played that down and used the "we are fighting JS attacks" phrase as if that was normal or common.
Failing to properly escape JS/HTML/CSS in a webservice is a MAJOR vulnerability.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I'd assume a vast majority of people don't even know what javascript is let alone why it is potentially dangerous. Sometimes you have to consider your users - which sometimes means you have to consider the ignorant, non-technical masses (ie: email users). Sure, you can feed them to the wolves, but it will come back and bite you somehow.
I will bend like a reed in the wind.
Nobody is allowing javascript in emails. This is a BUG in Gmail's code, not the user's fault. You use a browser to see your email. Spammers managed to somehow escape JS code and pass it through all of google's filters and execute it in your browser.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Sure, but you have to explicitly go to a page to get the content of it... it isn't just sent to you without asking for it, like email is.
File under 'M' for 'Manic ranting'
So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?
Software engineers who are even dumber than the users.
RIP America
July 4, 1776 - September 11, 2001
Uhh, everyone using a JavaScript-powered webmail system like GMail or Hotmail or Yahoo! Mail will be checking their mail with a JavaScript-enabled email client.
Yeah, that's right. Web apps fail yet again.
If your email client even knows how to execute Javascript (let alone makes decisions about whose scripts to trust and whose not to), then you're doing something wrong.
What's next, are people going to start building javascript interpreters into grub, iwconfig, pvcreate and ionice?
This is a BUG in Gmail's code, not the user's fault
LOL no. I've been getting these spams for a week or so now. It looks like the usual undeliverable mail message, "see attachment for details", but instead of the attachment being an email message it's an HTML file. So the user clicks on Returned Mail.html and goes wherever the javascript takes them.
If I have been able to see further than others, it is because I bought a pair of binoculars.
You have to open an email to access the javascript.
And if I do not necessarily want Javascript to run on a page I explicitly go to? What are my options? Disable Javascript of course!
Luckily for most people - Javascript is defaultly* disabled in most email clients, so the only reason this would be a threat is if its misconfigured.
*I think I just made that word up. I love english, you can form new words and people will still understand your message.
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
As always, this sentiment annoys me.
Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?
The javascript is in a file attached to the email. I've got dozens of them in my spam folder. Here's the entire content of one:
Subject: Delivery Status Notification (Failure)
From: Mail Delivery Subsystem [mailer-daemon@my domain]
Note: Forwarded message is attached.
This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
Delivery to the following recipient has been delayed:
myself@my domain
Message will be retried for 2 more day(s)
Attached is "Forwarded Message.html", which has the obfuscated javascript in it.
It's pretty obvious, most of these claim I tried to email myself and it bounced. There's a second variant that uses a random "recipient" address, and an attachment named "Delivery Status Notification (Failure).html"
If I have been able to see further than others, it is because I bought a pair of binoculars.
I just tested this. I send a message to my Hotmail box with HTML file as attachement. HTML file contains single script tag with document.location = 'http://google.com' inside. I opened the mail and opened the attachement. Internet Explorer asks if I want to save "test.html" or open it. This should ring bells big time but I understand that normal user doesn't get it and goes and opens the attachment. So I went and clicked Open and was redirected to google.com.
Now if I save the file and try to open it from the local folder I get nice yellow warning bar telling me that the file contains An Evil Script and if I really, really want to open it I must explicitly allow the script to run. If I go and allow the script then I'm at google.com again.
It seems that this is a simple, direct and rather effective attack against Joe Averages who just want to get rid of the stupid warning dialogs and open up everything that is sent to them. If Google can come up with a generic solution for this, other than try to rip off every HTML tag from the mails and their attachements, I really applaud them.
Maybe the browser shouldn't be allowed to be redirected outside the current domain by default? But then again, there would have to be warning dialog for that and Joe Average would still be out of luck.
You don't know what you don't know.
Postini does a lot more than Gmail.
I would think that commenting out the tag would do it.
If Google is responding to existing attacks, wouldn't they be going on the defensive?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
It's what I keep repeating time and again. Active content (Javascript, Flash, Java, ActiveX (ick!) is a very bad idea in a browser (an even worse idea in a mail reader). It's like having a gullible ward at the front door, willing to execute whatever instructions a complete stranger gives them.
Fuck "rich web experience". Rich means here "rich in exploits", nothing else.
And every "sandbox", "security container", whatnot -- just leads to a "Gödel, Escher, Bach"-style arms race.
I have a dream. That people understand the Internet as a means of conveying useful information, not "rich", "web", "experiences" or whatever incongruent marketeer's bable is "in" these days.
Lawn and that.
This is the exact reason that I NEVER use the internet. Just too dangerous these days...
...an effective attack vector against mutt.
Because of the confusion that seems rampant...
Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.
--- Mercutio was right.
Not dumb. Just naive. They may be brilliant developers or software engineers. It's hard to call someone like that dumb except in the way Scott Adams does in his Dilbert books (where he describes people as idiots in one or more fields). It is really that they were naive and trusting ("who would want to attack people" type thinking)... It's too bad they weren't right about that though.
plain text : it was good enough for Shakespeare
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I get nice yellow warning bar telling me that the file contains An Evil Script and if I really, really want to open it I must explicitly allow the script to run.
That's because IE's javascript engine treats javascript executed from the computer with extra privileges over javascript executed from the "Internet Zone".
Yeah, I didn't notice anything odd, though it seems NoScript was blocking content from a lot of sources.
What's the point of JavaScript in e-mails anyways? For HTML e-mails?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
> That's because IE's javascript engine treats javascript executed from the computer with extra privileges over javascript executed from the "Internet Zone".
Used to be you could modify that, not sure how it is like after Vista and Windows 7.
See this: How To Add 'My Computer' As the Fifth Internet Explorer Security Zone
http://support.microsoft.com/kb/555599
http://support.microsoft.com/kb/315933
If you make the security settings strict it breaks some Windows Explorer stuff in XP's "webview" mode. But it works fine in classic mode. In my opinion the classic mode is less likely to be exploitable than the XP "webview" mode, and I'm the sort who prefers classic mode anyway :).
Like, wow... just wow.
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
So wait, you are claiming that average Joe is supposed to automatically know better about technology than GOOGLE?!
And yet you are calling someone Else stupid?! Wow, just wow
Yes, I know that. I was talking from the point of Joe Average who doesn't know a s**t. And my point was, you can add extra layers, warning dialogs and yellow warning bars as many you like for these kinds of attacks but still you have to give user to option just to run those scripts. Someone eventually runs them and the attacker has won.
You don't know what you don't know.
Does that mean that no one deserves fortune either? Or if people deserve things because of actions they take, if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?
Does that mean that no one deserves fortune either?
It does not mean that, no.
Fortune is due to many things, the actions you take are but one aspect. Therefore, it is a flawed assumption that fortune is something you deserve solely because of the actions you take.
Also, there is a difference between rewarding someone for contributing to society (aka, earning a fortune through cleaning windows and saving money) and punishing them. One is sharing the benefits of their effort with them. The other is going out of your way to hurt them. If people weren't evil bastards, there would be no need for the JS security model. But they are. So, the bastards have to be stopped, because they make life worse for everyone around them. In the physical world we give some people guns and tell them to go stop the bastards. In the electronic world, the technically proficient have to stop them. It's simple specialization of labor.
Why is what you're saying any different from me saying "I can take anyone's stuff I want, and people who are too lazy and weak to protect it deserve the misfortune of me taking it."?
Your ad here. Ask me how!
if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?
I suppose thats your implication. If someone deserves fortune because they work hard - that does not mean that someone who doesn't work hard doesn't also deserve fortune. Hate to be pedantic, but something being true does not mean the opposite is true. (Being good with my right hand does not mean being bad with my left, as there are people who are ambidextrous)
Google doesn't want to execute JS in emails, and never did. Nobody should (nor does) allow JS in email afaik. The problem is the JS is executing *anyway*, despite Google's filters. They found a crack in the filtering and are exploiting it; not because *gmail* executes javascript but because *your browser* does.
Such an option would make email more vulnerable, not less, since some people would set it to "execute", when everyone should be "don't execute".
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
And then you will have to determine how to comment it in some obfuscated sequence of comments, quotes and escapes that may or may not be formally valid and may or may not produce consistent results in multiple rendering engines.
Contrary to the popular belief, there indeed is no God.
I don't recall anything Scheme related in Navigator.
Livescript is now Javascript.
You are being MICROattacked, from various angles, in a SOFT manner.
Exactly. The real problem is turning a browser into an email reading program. That's the downside of going from native apps for everything to the-browser-is-the-OS type thinking. It's only going to get worse.
*I think I just made that word up. I love english, you can form new words and people will still understand your message.
Well, I guess that's more common than you think
The word 'defaultly', I meant. :D
So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?
Annoyingly, the answer is businesses.
My boss wants to send spam, uh, I mean legitimate business emails that look exactly like our website. He wants all the same logos, menus and layout from our site to appear in our marketing emails. More specifically, he wants his javascript roll-out menus, he wants his Flash marketing panels, he wants his funky JQuery effects.
He wants his emails to look like this, and so do thousands of other bosses. These are the people with the money, so these are the people that Microsoft has to support, so those are the features that get put into email clients.
Conversely, these same people really don't care that their customers' email clients are insecure as a result of these features. That's the customers' problem. And again, Microsoft has historically gone with the money rather than the doing the right thing.
And yes, I know there are other browsers and other email clients and other operating systems, but most people are still using these MS products, and as far as many bosses are concerned, it may as well be everyone using these products -- my boss doesn't care what the emails we send look like in any other software than Outlook. If it looks right on his screen, then it looks right on everybody's.
Just been hit starting 30 minutes ago by a wave of delivery failure notifications but the preceding message (to which it is a reply) looks like one from me - spam to a bunch of people including some addresses I recognize. Gmail account now disabled. Seems a hell of a coincidence that this is happening just after this report about Gmail JavaScript problems. Never had anything like this before.
You're right. It would be horrible piece of script/code to write so that it a) removes all the Evil tags 100% and b) doesn't mess up any legit tag. I can think only one way to achieve this: the server itself would have to run the attachment(s) in a sandbox with multiple browsers and check if there's anything suspicious going on. I think it would kill the server.
You don't know what you don't know.
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
As always, this sentiment annoys me.
Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?
One need not have any technical expertise to know what a free service from a profit-making enterprise ultimately will be worth. Anyone who expects a free service from a corporation which exists to make money to be anything other than shoddy is assured disappointment. That is something that any competent adult in a money-driven society should understand. No matter how many of the self-defined best and brightest are gathered together and no matter how slick they are at selling the idea that they are dedicated to not being evil, Google cannot (and doesn't want to) eliminate the most basic principle of healthy economics: at best, you get what you pay for.
It's a bit more subtle to understand that when a company like Google gives away services, the users of those services are not customers. They are human livestock. The Google business model is not new, rather it is one of the oldest. The quality of a service like GMail for users is analogous to the quality of feed and shelter offered by the first egg and dairy farmers to their hens and cows. That may be quite good relative to the context of the livestock, but it is feed and shelter. Non-human livestock doesn't know that there are such things as food and housing, and might not value the difference. Making a domestication bargain is not necessarily based on ignorance and demonstrates some level of intelligence. Saying that GMail users do not deserve whatever breakage they get from it is insulting to their basic competence. No one is born into Gmail, no one is required to use GMail. People use GMail by choice and no one competent to manage their own affairs in a market economy would expect it to be a high-quality service, even if understanding the specific metrics of quality for such a service requires rather arcane knowledge. Either the bulk of GMail users *DESERVE* whatever crapulence they get from GMail (because they chose to take an obvious risk whose details are likely beyond their understanding) or we have a huge unmet need for custodial social workers, sheltered workshops, and adult day care. Or maybe just for research into better utilization of human livestock.
So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?
Netscape and Microsoft, in the mid-90's, when they were both known for hiring fresh grads based on GPA and driving away experienced developers who understood their own fallibility.
Google is not particularly innovative in their design errors or how they got them.
That would require a huge amount of resources, far beyond anything used existing mail services, webmail or otherwise. A much more sane approach would be to process everything with a very simple HTML parser that only recognizes "legitimate" tags and stylesheets, extract and sanitize all text, then re-assemble the document using completely different tags and stylesheet, throwing away everything that is not text and marking all links in the same way Slashdot does it in comments. The "original" document can be available as a link/attachment, not identified as text/html, so browser won't try to render it.
Contrary to the popular belief, there indeed is no God.
yes but it's not JS in the actual message that is causing problems, it's the HTML attachements (with JS). The message can look all find but when you open the HTML attachement all the nasty scripts are run.
You don't know what you don't know.
In email there is no fundamental difference between "message" and "attachments" -- email may be single-part or multi-part, and parts may be of various types identified by MIME headers. Mail readers display text and HTML parts of the message (or only first such part) as the "message" and everything else as "attachments", however it's up to the mail client (or webmail server) to choose how and what to show to the user.
Contrary to the popular belief, there indeed is no God.