Slashdot Mirror
Google Goes On Offensive vs. JavaScript Attacks
alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months.
Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript.
'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."
JavaScript itself is not problem, even if "use strict" would come handy. The biggest problem is DOM and other associated APIs a JavaScript programmer must deal with. It's horrible. But along good practices (Crockford's Javascript The Good Parts come to mind) it is a very nice language to deal with.
Take a look at Crockford's JavaScript: The World's Most Misunderstood Programming Language for reference.
English is not my first language. Corrections and suggestions are welcome.
Nobody is allowing javascript in emails. This is a BUG in Gmail's code, not the user's fault. You use a browser to see your email. Spammers managed to somehow escape JS code and pass it through all of google's filters and execute it in your browser.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
As always, this sentiment annoys me.
Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?