Poisoned Google Image Searches Becoming a Problem

← Back to Stories (view on slashdot.org)

Poisoned Google Image Searches Becoming a Problem

Posted by Soulskill on Saturday May 7, 2011 @12:15PM from the quick-search-for-the-antidote dept.

Orome1 writes "If you are a regular user of Google's image search, you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results."

67 of 262 comments (clear)

im glad im not the only one by metalmaster · 2011-05-07 12:20 · Score: 4, Informative

I was looking up images for a VP shunt when I came across a few poisoned links. I got scared for a minute because just hovering over the image triggered the payload for one of them
1. Re:im glad im not the only one by WrongSizeGlass · 2011-05-07 12:25 · Score: 5, Funny
  
  To protect myself against these poisoned image search results I make sure I always use Lynx when I search for images.
2. Re:im glad im not the only one by Nimey · 2011-05-07 13:01 · Score: 5, Informative
  
  lynx + zgv was how I used to view images on the Web about ten years ago. It worked surprisingly well, back before AJAX or Flash were used for navigation.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
3. Re:im glad im not the only one by lennier1 · 2011-05-07 13:02 · Score: 3, Interesting
  
  Like ASCII Goatse?
  http://www.nerdgranny.com/ascii-goatse/
4. Re:im glad im not the only one by Rizimar · 2011-05-07 14:48 · Score: 5, Funny
  
  I pretty fluent in JPEG myself, though I read the files in a hex editor. You get used to it. I...I don't even see the code. All I see is blonde, brunette, red-head.
5. Re:im glad im not the only one by Anonymous Coward · 2011-05-07 15:39 · Score: 5, Funny
  
  Dread Pirate Google: All right. Where is the trojan? The battle of wits has begun. It ends when you decide and we both click, and find out who is right... and who is hacked.
  Vizzini: But it's so simple. All I have to do is divine from what I know of you: are you the sort of man who would put the trojan into his own link or his enemy's? Now, a clever man would put the trojan into his own link, because he would know that only a great fool would click on what he was given. I am not a great fool, so I can clearly not choose the link in front of you. But you must have known I was not a great fool, you would have counted on it, so I can clearly not choose the link in front of me.
  Dread Pirate Google: You've made your decision then?
  Vizzini: Not remotely. Because Zeus comes from Eastern Europe, as everyone knows, and Eastern Europe is entirely peopled with criminals, and criminals are used to having people not trust them, as you are not trusted by me, so I can clearly not choose the link in front of you.
  Dread Pirate Google: Truly, you have a dizzying intellect.
  Vizzini: Wait till I get going! Where was I?
  Dread Pirate Google: Eastern Europe.
  Vizzini: Yes, Eastern Europe. And you must have suspected I would have known the trojan's origin, so I can clearly not choose the link in front of me.
  Dread Pirate Google: You're just stalling now.
  Vizzini: You'd like to think that, wouldn't you? You've beaten my firewall, which means you're exceptionally strong, so you could've put the trojan in your own link, trusting on your strength to save you, so I can clearly not choose the link in front of you. But, you've also bested my antivirus, which means you must have studied, and in studying you must have learned that root is hackable, so you would have put the trojan as far from yourself as possible, so I can clearly not choose the link in front of me.
  Dread Pirate Google: You're trying to phish me into giving away something. It won't work.
  Vizzini: It has worked! You've given everything away! I know where the trojan is!
  Dread Pirate Google: Then make your choice.
  Vizzini: I will, and I choose-- What in the world can that be?
  Dread Pirate Google: What? Where? I don't see anything.
  Vizzini:Well, I- I could have sworn I saw something. No matter.
  Dread Pirate Google: What's so funny?
  Vizzini: I'll tell you in a minute. First, let's click. Me on my link, and you on yours.
  (They both click.)
  Dread Pirate Google: You guessed wrong.
  Vizzini: You only think I guessed wrong! That's what's so funny! I switched links when your back was turned! Ha ha! You fool! You fell victim to one of the classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against a Sicilian when pwnage is on the line!! Ha ha ha ha ha ha ha!! Ha ha ha ha ha ha ha!! Ha ha ha--NO CARRIER
6. Re:im glad im not the only one by perryizgr8 · 2011-05-07 18:21 · Score: 2
  
  what does poisoned even mean here?
  
  --
  Wealth is the gift that keeps on giving.
7. Re:im glad im not the only one by jimicus · 2011-05-07 21:02 · Score: 2
  
  Click on the link and abracadabra, as if by magic your computer is infected with malware.
  I had one yesterday through stumbleupon - it showed a webpage claiming to scan for (and naturally find) malware and at the same time triggered the download of something calling itself anti_malware.zip. I don't know if it would have exploited a browser hole to install itself had I been running Windows or if it was simply banking on me running the download.
8. Re:im glad im not the only one by Anonymous Coward · 2011-05-08 03:16 · Score: 2, Funny
  
  I myself have spent many years building up an immunity to these poisons.
web 101: don't run unknown javascripts by Anonymous Coward · 2011-05-07 12:35 · Score: 4, Insightful

From TFA: "it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware."
By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default, without having the first clue what it might be doing. There can't be much debate that it's a stupid course of action, given how many people's machines are jacked by exactly that attack vector (albeit possibly using another as well).
Yeah, yeah, I know, you need javascript for your bank. That's great: whitelist your damn bank. But run only javascripts on your *whitelist*, not any thing any random yahoo from a site you've never heard of before wants you to run. Would you treat your physical possessions that way? Would you let a drug gang in eastern europe borrow your car with your permission? If not, why would you allow them to use your computer?
I swear that the reason I haven't had a malware in my entire PC using history, and others seem to have them on a weekly or monthly basis, is because I don't completely shut off my brain once the words "... on the computer" appear in a sentence.
1. Re:web 101: don't run unknown javascripts by Frosty+Piss · 2011-05-07 12:48 · Score: 4, Insightful
  
  By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default...
  This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...
  
  The *average non-techie web surfer* is simply NOT going to turn off JS.
  
  Will not happen... So, it's not realistic or productive to waste time discussing such an option.
  
  Sad, but true.
  
  --
  If you want news from today, you have to come back tomorrow.
2. Re:web 101: don't run unknown javascripts by blindseer · 2011-05-07 12:56 · Score: 5, Insightful
  
  It's 2011, there should not be anything a Javascript can do that is harmful to your computer.
  
  --
  I am armed because I am free. I am free because I am armed.
3. Re:web 101: don't run unknown javascripts by Anonymous Coward · 2011-05-07 13:05 · Score: 2, Informative
  
  As a professional web developer, we often write code that expects Javascript to work on our sites, because noone ever turns it off. We have some very high traffic sites, and outside of web crawlers, I don't believe we've seen it blocked, ever.
4. Re:web 101: don't run unknown javascripts by Anonymous Coward · 2011-05-07 13:10 · Score: 5, Informative
  
  This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...
  Ironic, given that Google recently (this month) just changed its behavior to practically require Javashit.
  Old hotness: (1) Google "foo". (2) Click "Images" tab at top of screen for a GIS for "foo".
  New and busted: (1) Google "foo". (2) Click "Images" tab at top of screen for... "Your search - foo - did not match any documents." (3) curse, click "Images" tab again - to go to http://www.google.com/imghp?hl=en&tab=ii, and (4) have to type "foo" again in order to GIS "foo". (Or remember to start at images.google.com, which is an issue when you might not be sure which terms to use when searching for the image in the first place)
  Turn Javashit on, and clicking the tab works just fine... but whatever Google changed broke the non-Javashit version of GIS.
  Sorta like last month - maps.google.com is an AJAX app, so it's reasonable for it to require Javascript. But it used to work fine without cookies enabled. Now, it requires both Javascript and cookies. Interesting.
  Just tested/confirmed both of these on Firefox 3.6.16.
  What Facebook does overtly, Google does by benign neglect and failure to regression-test. What's next? Google services simply stop working for Firefox and require Chrome?
5. Re:web 101: don't run unknown javascripts by AsmordeanX · 2011-05-07 13:14 · Score: 4, Insightful
  
  I tried running with Javascript disabled. Five years ago you could get away with it. Now so many sites, especially with jQuery being so pervasive, simply don't work with JS disabled or you get an ugly broken thing.
  I hear the claim, "Well you can run it on trusted sites". What has the site done to earn my trust? Why couldn't a malicious site appear interesting enough to prompt you to turn JS on and thus be attacked. Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.
6. Re:web 101: don't run unknown javascripts by Low+Ranked+Craig · 2011-05-07 13:15 · Score: 3, Insightful
  
  Uh, no. Javascript is required for a significant portion, I'd say most, of the high traffic sites out there. It is simply not feasible, or acceptable to suggest that all users disable a significant portion of the functionality of the web.
  
  --
  I still cannot find the droids I am looking for...
7. Re:web 101: don't run unknown javascripts by Low+Ranked+Craig · 2011-05-07 13:17 · Score: 2
  
  Why sad? THe ability to have portions of the page refresh without round-tripping to the server for a whole new page is only one of the highly useful functions provided by JS.
  
  --
  I still cannot find the droids I am looking for...
8. Re:web 101: don't run unknown javascripts by Anonymous Coward · 2011-05-07 13:30 · Score: 2, Informative
  
  Firefox + FlashBlock + NoScript
  What's the point? NoScript is FlashBlock and then some.
9. Re:web 101: don't run unknown javascripts by Frosty+Piss · 2011-05-07 13:35 · Score: 4, Insightful
  
  They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.
  You might think, but there is a lot to suggest that what you suppose is not the case.
  
  The fact is, the average non-techie user values "interactive" over "secure". Those in the business of servicing PCs on the consumer level will tell you this.
  
  --
  If you want news from today, you have to come back tomorrow.
10. Re:web 101: don't run unknown javascripts by Culture20 · 2011-05-07 13:58 · Score: 2
  
  Even if the defaults are reversed, what is grandma going to do, vet the JS code for every script that wants to run?
11. Re:web 101: don't run unknown javascripts by Tacvek · 2011-05-07 13:58 · Score: 3, Informative
  
  The trouble is that you likely get a substantially degraded experience on some sites. Many well developed sites use AJAX to speed up navigation[1], falling back on a full request when JavaScript is disabled. Similarly many sites implement convince features like jquery-based auto-completion which help make the site easier/faster to use, but again the site continues to function even with JavaScript turned off. You likely never even realize that you are getting a degraded experience because the site did not completely break.
  That is a large part of the reason I actively do not recommend NoScript or similar solutions, favoring blacklisting known bothersome scripts, and using sadboxes and equivalent to guard against the unknown.
  [1] You only need to download the changed portion, and browsers can update a page in place faster than re-rendering the whole page.
  
  --
  Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
12. Re:web 101: don't run unknown javascripts by 93+Escort+Wagon · 2011-05-07 14:01 · Score: 4
  
  Even if the defaults are reversed, what is grandma going to do, vet the JS code for every script that wants to run?
  This is Slashdot - our posts are meant to demonstrate how 1337 we are, not an understanding of how the world actually works.
  
  --
  #DeleteChrome
13. Re:web 101: don't run unknown javascripts by 93+Escort+Wagon · 2011-05-07 14:03 · Score: 5, Funny
  
  It's 2011, there should not be anything a Javascript can do that is harmful to your computer.
  It's 2011, where's my damn flying car?
  It's held up in pre-production until they can fix a persistent Javascript bug.
  
  --
  #DeleteChrome
14. Re:web 101: don't run unknown javascripts by Undead+Waffle · 2011-05-07 14:03 · Score: 3, Insightful
  
  Why sad? THe ability to have portions of the page refresh without round-tripping to the server for a whole new page is only one of the highly useful functions provided by JS.
  It's useful when used correctly. But when all of the links are JS and I can no longer middle click to open in new window I get annoyed.
15. Re:web 101: don't run unknown javascripts by 0123456 · 2011-05-07 14:16 · Score: 2
  
  We have some very high traffic sites, and outside of web crawlers, I don't believe we've seen it blocked, ever.
  NoScript claims to have downloaded 84,000,000 times, so I can only presume that people running it are unlikely to visit your sites.
16. Re:web 101: don't run unknown javascripts by RobbieThe1st · 2011-05-07 14:40 · Score: 2
  
  Course, near as I can tell, computers these days can re-render the page fast enough that it doesn't matter: It's internet connection speed and latency that's important.
  I, for one, hate ajax crap: It's almost always slower for me(due to them always using multiple requests, across multiple servers usually) than a single, straight HTML page with everything else being cached. Of course, the ajax'd page loading new ad-code may have something to do with it -- Turning on NoScript speeds up some pages loading by 10x at least!
17. Re:web 101: don't run unknown javascripts by Anonymous Coward · 2011-05-07 15:01 · Score: 2, Interesting
  
  You can fix this by adding "&gbv=1" to your search search string. If you want it as a seach plugin save http://pastebin.com/GswQX4V5 as an xml file in your searchplugins folder.
18. Re:web 101: don't run unknown javascripts by Culture20 · 2011-05-07 15:04 · Score: 2
  
  Hopefully someone will mod you TROLL. Or MORON.
  Why? Have I been Wooshed? I had to inform our own web devs that our website doesn't work without flash and JS, and they didn't see the problem either. It's as bad as a sysadmin suggesting RAID0 because he's never seen a drive die. Maybe troll for the TFB comment? I notified them of their error in 2002 when they changed to the big flash object (back when few people used flash), now that flash is being blocked in companies and iP[od/ad/hone]s don't have flash, it still boggles me why they don't have at least a simple "here's who we are" that's just simple html.
19. Re:web 101: don't run unknown javascripts by jabberw0k · 2011-05-07 15:04 · Score: 3, Insightful
  
  Indeed. This whole article confuses me. I have been doing web development since the 1990s and the whole point of Javascript was that it cannot cause a program to be run or installed on your computer... otherwise the web browser is insecure. If Javascript code can permit code to run on your computer, that would be a show-stopping browser bug! If that is true, then the only way to prevent this is to stop using that broken browser entirely. But that cannot be the case, can it?
  I find it hard to understand why this whole article is a problem...
20. Re:web 101: don't run unknown javascripts by toygeek · 2011-05-07 16:14 · Score: 2
  
  Yes, I will tell you this. Indeed, people want their computer to be like a microwave. They don't care how it works and as long as it puts out hot food they're happy. I still get people running IE6 and 7 and Firefox 2.0. They don't give a hoot about security, and most of the time they have no idea what is secure and what isn't.
  Drive by's are unavoidable, but with some education we help our customers keep from being infected.
  
  --
  Nobodies Prefect
  Tidbits for Techs Technology Blog
21. Re:web 101: don't run unknown javascripts by Anonymous Coward · 2011-05-07 20:09 · Score: 2, Insightful
  
  The trouble is that you likely get a substantially degraded experience on some sites.
  Ironically I consider all that AJAX-javascript-navigation stuff complete and utter bullshit. That right there degrades experience, not the other way around.
  Before Javascript you could navigate sites in a "standardised" way, i.e. open links in tabs, use back and forward buttons and so on. All sites worked the same. Javascript broke that. Now sites have to reimplement this functionality in their own unusual way; most just don't do it. So navigation gets a lot harder WITH your fancy javascript.
  I get it, as a developer you love fancy new technology. However as a visitor/customer it's a usability nightmare.
22. Re:web 101: don't run unknown javascripts by mikael_j · 2011-05-07 21:14 · Score: 2
  
  If the head honchos say "we talked to marketing, they want widget foo to do thing bar when the user hovers his mouse pointer over it" then most of the time the devs can choose between "just do it" even if it means breaking things for those who don't have JS activated or disciplinary action.
  It basically boils down to "It's not your website, it's ours, and we want shiny javascript everywhere, now implement it!". And yeah, I'm not a big fan of using JS unless absolutely necessary to get the desired results, but sometimes you have to.
  
  --
  Greylisting is to SMTP as NAT is to IPv4
23. Re:web 101: don't run unknown javascripts by Waccoon · 2011-05-07 21:26 · Score: 3, Insightful
  
  Because browsers allow 3rd party Javascript to run as if it were 1st party. This makes advertisers happy.
  I've been complaining about this for years, but so long as the new economy demands that browsers be supported through sponsorships and ads, security just won't become a priority.
  Hell, reading a PDF can infect your PC with a virus? I've got a great idea... let's build a PDF reader right into the web browser, and for bonus point, you can't disable it. It's okay, we built a sandbox for it, and made JavaScript twice as fast for good measure. Oh, but we still won't include support for [insert FOSS codec of choice here] because it will make the browser too bloated.
24. Re:web 101: don't run unknown javascripts by jimicus · 2011-05-07 21:27 · Score: 2
  
  Because the very act of surfing the web is - from a security perspective - probably one of the most stupid things to have happened in the whole of computer history.
  And I'm not exaggerating.
  The first thing anyone who gives a damn about IT security learns is "don't open any old random garbage". How important this rule is (and how easily it's forgotten) was first brought home with things like ILOVEYOU - and that was 11 years ago, FFS. As a result, mail systems have been getting ever more paranoid about accepting executables - it's quite awkward to even successfully receive an executable in Outlook today, and that's assuming they've not been blocked at the mail server.
  While this has been going on, web browsers and their plugins have been merrily gaining more and more functionality and more and more potential for exploits of more-or-less exactly the same type. But they're slightly worse. With email, most modern mail applications don't run any active content that's likely to cause a problem until you explicitly tell them to. Web browsers run it as soon as the page loads.
  So we now have millions of people worldwide who are actively using a tool which - by design - downloads and runs random code from anywhere in the world with little or no confirming that one would want to - or indeed that it would be sensible to. At best you have something like Safari's "Warning, this site may damage your computer" page - but we already know that such warnings are fairly useless because people have been conditioned to ignore them.
25. Re:web 101: don't run unknown javascripts by Angostura · 2011-05-08 01:49 · Score: 2
  
  You're the kind of stupid that makes a website that's just one big flash object with no links to non-flash content.
  And you're the kind of person who defines everything in the universe as 'black' or 'white'
26. Re:web 101: don't run unknown javascripts by Tim+C · 2011-05-08 03:32 · Score: 2
  
  Actually in a lot of cases the partial page loads are there more to help the server than the client; a heavily-hit site can reduce bandwidth usage and processing overhead by a substantial amount by only processing/transferring the relevant portions of a page. The fact that it also may improve the end user experience is a nice bonus rather than the primary consideration.
  
  --
  It's official. Most of you are morons.
So... by Mashiki · 2011-05-07 12:38 · Score: 2

Can we scrap the entire js system now and rebuild it from scratch so it stays inside a fucking sandbox this time?

--
Om, nomnomnom...
1. Re:So... by ChunderDownunder · 2011-05-07 13:05 · Score: 2
  
  Ummm... Isn't specifying what actions a script can perform the definition of a sandbox?
  accessing the filesystem, launching popup windows, transmitting content outside of the original domain, redirection, cookies, etc.
  These are all permissions that should be codified by the scripting engine's security manager and configurable by the end-user on a site-by-site option.
2. Re:So... by larry+bagina · 2011-05-07 13:17 · Score: 2
  
  I can ask javascript to suck my cock all night long, but it doesn't. Even in browsers without a sandbox.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
Use an alternative search. by Deathlizard · 2011-05-07 12:46 · Score: 3, Insightful

At this point, I feel SEO poisoning is so bad on Google that I find myself using other search engines more since they don't seem to be as big of a target.
Altavista, Ask and Bing have just been giving me more relevant search results lately. Google seems to like to show more SEO sites, forum reposters that just repost the same forum entries over and over and "Meta Search" sites such as software informer and alibaba.
Image search Rogueware poisoning is yet another reason to start looking somewhere else for search results.

--
In Soviet Russia, Trojan exploits YOU!
1. Re:Use an alternative search. by Pseudonym+Authority · 2011-05-07 12:57 · Score: 3, Interesting
  
  Altavista, Ask and Bing have just been giving me more relevant search results lately.
  Somewhat interestingly, and wildly offtopic, Altavista is powered by Yahoo, and Yahoo is powered by Bing, so you are really only using at most 2 search engines. (Ask also outsources to someone, but they don't say who, so it may very well be M!r0$0f+ as well).
2. Re:Use an alternative search. by Undead+Waffle · 2011-05-07 14:06 · Score: 4, Funny
  
  Altavista, Ask and Bing have just been giving me more relevant search results lately.
  Somewhat interestingly, and wildly offtopic, Altavista is powered by Yahoo, and Yahoo is powered by Bing, so you are really only using at most 2 search engines. (Ask also outsources to someone, but they don't say who, so it may very well be M!r0$0f+ as well).
  And Microsoft copies Google's search results so in the end everyone is just using Google!
screenshots by cobbaut · 2011-05-07 12:48 · Score: 5, Informative

Two weeks ago I put some screenshots of what it looks like on my blog:
http://cobbaut.blogspot.com/

--
European Linux user, living in Antwerp
1. Re:screenshots by bmo · 2011-05-07 13:54 · Score: 3, Interesting
  
  I've seen it. It detects Chrome and puts up a fake Chrome screen.
  The problem is that the dialog is modal and steals focus from Chrome. You can't simply close the tab. So you click, it does its "scan" and gives a heads-I-win-tails-you-lose dialog and you click that and you wind up downloading a windows executable, and that's when Chrome finally steps in and says "hey, this is an executable file, do you really want this?" and that's the only place you can say no-thanks.
  The only other solution is to force-kill (kill -9) the entire Chrome window at the start.
  Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.
  I did this in Linux, but having wine installed means that this could be a vector for malware in Linux, too, with a little more work.
  inb4 "but no malware writer cares about linux" and "hurr, wineserver is a user process, so it makes no sense to have autorun malware as a user" (as if anyone ever checks his .bashrc or .profile). The only thing I see as a barrier to this foolishness is the relative intelligence of your average Linux guy (me) versus the typical Windows user in deciding not to run something thrust at the browser for download from a bad website.
  --
  BMO
2. Re:screenshots by 1729 · 2011-05-07 18:24 · Score: 2
  
  Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.
  Chrome? Can't you use the Shift-Esc built in Chrome task manager and kill the window?
  Actually, I just tried (Chrome on a Mac), and I couldn't kill the window through the Chrome Task Manager. Nothing I tried work: I either had to force-quit the browser or just click "OK" and let it run through the fake scan and download the .exe. I'm annoyed that Chrome doesn't seem to provide a way to block javascript hijacking (other than disabling javascript entirely or through explicit whitelists/blacklists). I don't EVER want a web page to be able to disable my right-click, back button, history, view page source' option, etc., all of which this popup did.
3. Re:screenshots by jimicus · 2011-05-07 21:36 · Score: 2
  
  I let it complete downloading, the zip file contains a Mac application called MacProtector and it fires up an installer immediately.
  In other words, it's started. Mac users can't be complacent any more.
4. Re:screenshots by jimicus · 2011-05-07 21:46 · Score: 2
  
  Replying to myself, but I pushed the file through VirusTotal (which runs suspect files through a whole host of AV engines). Somewhat depressingly, most of them didn't catch it.
  The results are here if anyone's interested.
Violence is required by erroneus · 2011-05-07 12:56 · Score: 4, Interesting

The people who are doing this are criminals. They need to be stopped. It's as simple as that. Follow the money and beat the crap out of them until it stops.
a couple add ons that help by d6 · 2011-05-07 13:05 · Score: 5, Insightful

I surf with requestpolicy and noscript up. It is utterly amazing the number of websites that can't render a page without firing scripts or loading content from 6, 8, 10 or more different domains.
If you haven't tried these, do it and be amazed at how many sites load without stylesheets, pictures etc. It's amazing how badly shit is implemented - zero thought about graceful degradation.

no script
requestpolicy
1. Re:a couple add ons that help by Low+Ranked+Craig · 2011-05-07 13:25 · Score: 3, Insightful
  
  Not zero thought about degradation and not bad implementation. This isn't the same as developing for IE for example. It's simply that implementing features two ways - one for JS and one for no, takes more than twice as much effort, so it doesn't get done. I've told clients before about the JS issues, but what it comes down to is the client doesn't want to spend twice as much to service the 2% that turn off JS. Period. They get a message that tells them to enable JS to use those functions. It's cost vs. benefit 101.
  
  --
  I still cannot find the droids I am looking for...
2. Re:a couple add ons that help by nonregistered · 2011-05-07 13:43 · Score: 2
  
  Same here: no script & requestpolicy. The amount of tweaking required to surf safely tends to make me visit less than a dozen sites regularly.
3. Re:a couple add ons that help by hedwards · 2011-05-07 15:39 · Score: 2
  
  Which is really why companies need to be held accountable for exploits in their code rather than being allowed to require that somebody else pay for their incompetence. It worries me a great deal how many sites don't use https for log ins or insist upon not giving users a way of getting in without Flash.
  I'm sure we'd see serious movement quickly if all of a sudden they were themselves responsible for their actions or inaction as the case may be.
Slashdot Promoting Plagiarism by lee1 · 2011-05-07 13:07 · Score: 2

The summary contains two links. The first is to an article that plagiarises the second, padding the lifted paragraphs with barely intelligible proto-English. What a disgrace.
Mac is vulnerable too by Teckla · 2011-05-07 13:15 · Score: 5, Informative

My wife got bitten by this just today.
She navigated to a web page from a Google search result, and Safari automatically downloaded some malware and executed it.
I didn't believe my wife's story at first, so I tried it. Sure enough, automatic download and execution on Mac/Safari.
What the fuck, Apple and Safari?
The only question that remains is whether I'll be moving her to Firefox or Chrome...
1. Re:Mac is vulnerable too by larkost · 2011-05-07 13:34 · Score: 3, Informative
  
  It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.
  While this is bad behavior, and will probably finally convince Apple that .pkg should not be on the list of auto-launched items, this is also not the "sky is falling" situation that your post makes it out to be.
2. Re:Mac is vulnerable too by slyborg · 2011-05-07 13:37 · Score: 4, Informative
  
  Turn off "Open Safe files after downloading" in Safari Preferences. (-_-)
  Chrome is definitely faster, but doesn't have NoScript and uses more RAM.
3. Re:Mac is vulnerable too by Teckla · 2011-05-07 13:49 · Score: 4, Insightful
  
  It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.
  Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.
  And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window. I'm not accusing you of being a liar, but my wife uses her Mac to access our bank accounts and such. I have no choice but to nuke the site from orbit (reinstall OS X). I'd like to trust that because someone on the Internet said I'm safe and not to worry about it, that I can just plain not worry about it, but I just can't take that risk.
  At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard. It'll take me days to fully reload and reconfigure her machine.
  Thanks, Apple...
4. Re:Mac is vulnerable too by Teckla · 2011-05-07 14:02 · Score: 4, Informative
  
  What was the link? What was the malware?
  I'm sorry to say I no longer have the link. I can tell you my wife was searching for something to the effect of "fairy wings" or "tinkerbell wings" with my young daughter, and that the link she ultimately clicked on was a .ms address. That might help you hunt down the same link, since this happened less than 8 hours ago.
  
  What happened? I am assuming it downloaded an actual executable Mac application
  I don't recall the exact thing it downloaded, but I recall it ended with .mpkg and was actually a directory I was able to navigate into using Terminal.
  It automatically popped up some kind of installer for MacProtector, which is apparently malware (based on my Googling). I'm pretty good on Windows and Linux, but I know next to nothing about the Mac. I'm not aware of any really low level geekery details like "Mac installers are always 100% safe! Just cancel out of them!" or anything like that. I'm confident it didn't have root access, but even with just my wife's login credentials, my suspicion is that it could have done a lot of damage.
  
  What *exactly* executed, and what was the result?
  She clicked on a Google search result. The Downloads dialog box popped up. It downloaded something almost too quickly for the eye to see. Some kind of malware installer than displayed a GUI. It looked like the very first step of the installer. There was a Continue button.
  
  I would be interested to know what malware got past, and what her settings in Safari were.
  I'm sure her Safari settings were almost entirely set to their defaults. The Mac is supposed to be the "safe" computer. Or so we thought...
  I'm sure the Slashdot crowd will come down hard on me over this. I fully expect my intelligence to be questioned and to be modded into oblivion. But really, I don't see how an average user should respond to this except to assume the worst and reinstall OS X.
  And I really do blame Apple for setting absolutely bone headed defaults on Safari.
5. Re:Mac is vulnerable too by techtech · 2011-05-07 14:24 · Score: 4, Informative
  
  Safari / Mac OS X latest versions as 08.05.2011 CET As I happen to use the Google image search a lot, and open each image (from google results) in a tabs (collect them) and after that reviewing them. Today I searched for different architecture related things and managed to open this this FAKE AV page, a lot of times, differnt pages. And the file that is downloaded is "anti-malware.zip" [1,9 MB on disk (1 872 571 bytes)]. This file contain "MacProtector.mpkg." I am sure I do not have the default settings, because I review every programs settings before I am starting using it, as a common proceedure. I have the open secure files automatically option off, it was not opened. As far as I know Safari does not consider a zip a secure file, and there is not an automatic execution of mpkg inside a zip as standard?
6. Re:Mac is vulnerable too by jo_ham · 2011-05-07 14:37 · Score: 2
  
  No, Safari won't execute a an .mpkg as standard - that's an installer file and would require other user interaction (clicking next etc) to step through, and your admin password if it was going to go outside your home folder at all. So if you don't fall for the social engineering you can stop it at that point.
  It looks like it must be a trojan of some kind, but no different to any standard trojan: you have to have the user install it.
7. Re:Mac is vulnerable too by cathector · 2011-05-07 15:01 · Score: 4, Interesting
  
  i've been on osx for about two years, and just yesterday had my first malware experience,
  which is pretty much identical to Teckla's: i was in safari and followed a GIS link for "blanket octopus"
  and clicked on one of the pictures, and got a pop-up browser with some "security scan in progres.." BS dialog.
  no big deal.
  but then the OSX package installer opened up, trying to install some obvious malware .mpkg which had been downloaded to my desktop.
  downloading a file without my permission is already a total security fail, imo, but running the installer on it is beyond bad.
  obviously i nixed the installer and power-cycled and so far haven't noticed anything untoward, but it's scary.
  the name of the .mpkg was "MacProtector.mpkg". unfortunately i rm -rf'd without making an archive of it.
  - google shows a few hits for that. so, in short, yeah, Teckla's experience matches mine.
8. Re:Mac is vulnerable too by Teckla · 2011-05-07 16:12 · Score: 2
  
  Isn't it disingenuous to criticize Apple for putting you into a situation that you have decided is unfalsifiably dangerous?
  I did Google before I panicked too much. There is, so far, not a whole lot of confident sounding information on MacDefender / MacProtector.
  If it was splattered all over the Internet that it's safe to cancel out of the installer and go on your merry way, that's probably what I would have done.
  In any case, how can anyone seriously defend Apple for Safari defaults that automatically download something and run an installer?
  Seriously, you have got to be kidding me. Apple fucked up bad on this one, and should be called out for it. How can you not criticize Apple for this?
9. Re:Mac is vulnerable too by Andreas+Mayer · 2011-05-07 22:46 · Score: 2
  
  and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.
  It executed the system's installer application. Nothing bad could possible have happened up until that point. You will have to at least click a button to have anything installed. In many situations you will additionally be required to input your system administrator's name and password.
  
  And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window.
  If you didn't acknowledge the installation, no foreign code will have been executed.
  
  I have no choice but to nuke the site from orbit (reinstall OS X).
  That's totally unnecessary.
  
  At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard.
  It didn't. It was you who decided not to trust the system.
10. Re:Mac is vulnerable too by Teckla · 2011-05-08 00:54 · Score: 2
  
  It didn't. It was you who decided not to trust the system.
  The fact that Safari will automatically download and execute installers may be technically safe -- just an annoyance, at worst -- but expecting users of OS X to know that OS X installers are 100% safe little furry friendly creatures that cannot possibly do any harm whatsoever to your computer is asking a bit much since installers work different on, well, every other OS in existence, in my (very broad) experience.
  On other operating systems, installers are foreign code that can do all sorts of harm to the contents of your $HOME directory at the very least.
11. Re:Mac is vulnerable too by Low+Ranked+Craig · 2011-05-08 05:27 · Score: 2
  
  I worked at getting this to happen this morning, and I finally did. What happens is that you search for an image, click on it, it redirects you to a site like this http://69.50.202.201/f1f7925050f1f83d3b0fc524a72f5af09f55c52837b293fb Which displays a bogus virus scanning screen and downloads a zip file. In safari if you have open safe attachments checked it will unzip the file, anti-malware.zip in this case and run the installer. THis is true. However, this is a social engineering application. YOu still have to click continue and provide your password to install anything. As far as it goes it is very well done, but it is not a drive by install - you MUST EXPLICITLY GIVE PERMISSION to install it. I'm sure a bunch of people will install it, but there's nothing you can do about that. I felt comfortable enough to search this out and try it myself with no ill effects. Turn off open safe attachments in Safari if it bothers you.
  
  --
  I still cannot find the droids I am looking for...
Re:You have to run them by Abstrackt · 2011-05-07 13:58 · Score: 2

Try YesScript. You can blacklist sites that cause problems while letting the rest through without having to explicitly whitelist them.

--
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
Re:You have to run them by 0123456 · 2011-05-07 14:26 · Score: 2

Try YesScript. You can blacklist sites that cause problems while letting the rest through without having to explicitly whitelist them.
Great idea. Then I can blacklist www.thissiteissafehonest.com _AFTER_ it's used Javashit to download malware to my computer.
Disabling Javashit by default is the only safe way to browse the web these days.