Scammers Bite Chrome Users With Forgotten 2014 Bug

"Tech support scammers have started exploiting a two-year-old bug in Google Chrome to trick victims into believing their PC is infected with malware," reports security researcher Sophos. It begins by freezing the browser, BrianFagioli reports, sharing an article from Beta News: These bad guys pose as Microsoft tech support and display an in-browser message that says the user's computer is infected with "Virus Trojan.worm! 055BCCAC9FEC". To make matters worse, Google has apparently known about the exploit for more than two years and simply failed to patch it. "The bug was discovered in Chrome 35 in July 2014 in the history.pushState() HTML5 function, a way of adding web pages into the session history without actually loading the page in question. The developer who reported the issue published code showing how to add so many items into Chrome's history list that the browser would effectively freeze", says Sophos...

"Users can either close Chrome using the Task Manager or, in cases where the browser is using up so much processor power that Task Manager doesn't appear, by rebooting the computer. The chances of encountering this particular scam are small -- it's only been spotted on a single website -- but its existence underlines how small bugs that don't seem terribly important may nevertheless be abused by cybercriminals down the line."

Ho ho ho

[fubarrr]

Yandex, their Russian competitor was pushing their Yandex Browser with these scamvertisements for years.

How many times you saw this on android? A popunder comes with "Delete viruz in 5..4..3..2..1." and then your phone hangs. If you click on it, it opens that Yandex browser in google market.

Re:Ho ho ho

Zero times. Try staying off the Russian porn sites.

Re:Ho ho ho

But they have the best midget porn.

Re: Ho ho ho

I want to know why nobody has acknowledged that fake virus infinite redirects served from poison ads are really fricken common. With my Galaxy S3 I got redirects to the app store without touching anything. That was it.

With my Nexus 6p i get random full screen ads that do the ol virus + alert + 9 redirects prior. They look at the user agent to determine I have an Nexus 6p. They look at my ip to determine I'm on Verizon. I bet this is really effective at scaring the less computer illiterate. Again, this is without doing anything. The worst I've seen is a site that Google put on a card for me. About 15 seconds after the site loaded, it prompted a full screen interstitial with "are you a robot?" The only option was "no". You tapped it and instantly you're redirected to the stupid you have a virus page. Close chrome and reopen it and your back at that damned page again.

I want to know why an ad is allowed to serve JavaScript.

Re: Ho ho ho

This just happened with slashdot. Fullscreen advert taking over the browser. Shame /. Does not vet its own adverts.

Re:Ho ho ho

[doccus]

No it's not just porn. Anfd it's not just russia. Basically every video download site . There's a lot of old movies (I love pre '66 movies!) that have gone public, but sleazy video distributers still download them and try to sell them, and if someone tries to post it on youtube, they file a notice, even tho they have no rights to it. The only alternative then becomes one of these doewnload sites like openload or others like it. Complete with virus message. Of course to can do a force quit, but the fact is it happns..a lot. One time I noticed several hundred additions to my history and didn;'t know what was causing it.. but now I know. Chrome will never patch it on my os becaus it's 5 years old and chrome deprecated it. I can't upgrade because my it's the last version my apps will run on. and I';m not ready to dish out several grand for up to date versions. No free update for mine.. i.e. photoshop... OK, eventually I will find out how to run OSX 10.6 in a seamless virtual window on OSX10.11, but haven't yet...then I'll simply sandbox it and usr 1.11 for the net. By which time chrome just might path the bug... maybe ;-)

Not only cybercriminals, either.

[Stormbringer]

Care to try to explain how all those links to kiddie-porn sites got on your computer in a courtroom?

Why does that function even exist?

How does it benefit the user to let websites push "visited" URLs into a browsers history? I expect my browser's history to only include sites I've actually visited.

Re: Why does that function even exist?

Specifically it's for sites or web apps that have changes to pages without navigating to a new URL so the back button will work as expected. Basically for JavaScript laden front ends the hipsters love that leak like crazy and use all your memory and CPU just for a couple tabs.

Re: Why does that function even exist?

[93+Escort+Wagon]

Specifically it's for sites or web apps that have changes to pages without navigating to a new URL so the back button will work as expected.

Like my.t-mobile.com . It's such an annoying practice... plus sites doing It often don't work correctly in some browsers.

Re:Why does that function even exist?

... a way of adding web pages into the session history without actually loading the page in question.

Yeah, I mean what could possibly go wrong?

I bet the cops love it though. Everyone is guilty! Yay!

Re:Why does that function even exist?

[tlhIngan]

How does it benefit the user to let websites push "visited" URLs into a browsers history? I expect my browser's history to only include sites I've actually visited.

Easy - if you click a link on a page and it does an AJAX thing and load up the destination without actually changing the page URL. You see this in webmail - you click your mailbox and the URL doesn't change, but the email opens. Now, you may know to click the X that they put up to close ir, or a back button to go back to the index, but if you click the real browser Back button, what happens? If you're unlucky, it goes to the previous page you visited (or blank tab page).

Using this function lets you pre-load the page into the Back button so if you use the back button, it does the Right Thing and actually goes back to the index as you expect.

The best example of this is GMail - where you have 3 ways of getting back to the index from a message view - you click the arrow, you click the mailbox, OR you click the browser back button. (And the back button may not be physically clicking the button, but using a mapped keyboard or mouse button)

It's because a lot of sites do AJAXy stuff that would otherwise break Back button functionality

I don't even use Gmail anymore.

when will people realize Google use things like that to steal information from users? Your Android for example. For god sake, they even have a troll departament on Google. Probably being paid by Hillary to conspire against Trump right now.

Re:I don't even use Gmail anymore.

So it seems Google Translate from Russian to English works.

Its not rare. Its very common.

I work in tech support for a local managed service provider in a small city. We have several dozen business clients in the region (we don't handle private users). We are not a large operation by any measure. We get at least 2 calls a week about someone's computer having a virus that turns out to be this. Most of the time it seems to come from websites that are typo-squatting. If we are seeing that volume of complaints it can't be rare.

Re: Its not rare. Its very common.

[raind]

I was just about to say the same thing .this is been going on for months

Re:Its not rare. Its very common.

Same here.

Bad links from the usual sources - Shady ad providers, email, search engine spam.

Re:Its not rare. Its very common.

I get this several times a day. Very annoying. Norton and microsoft won't take any responsibility to block it. I did the 127.0.0.1 trick in hosts, but there are lots of urls being used. Glad to see it is now shown to be chrome specific.

At work

[Billly+Gates]

We use IE 8 so should be fine ... sheww

HTMl 5 is too scary right now

Got bit by this 2-wks ago at latimes.com

[bennet42]

I normally browse using firefox with noscript and uMatrix, but occasionally when I want to view a video, I'll fire up Chrome and copy/paste the link there. Did that for an article at latimes.com two weeks ago and got served up some malware advertisement that did exactly this. I was impressed. You wouldn't expect that a reputable site like latimes.com would allow malvertizements, and you wouldn't expect that chrome would have an easily exploitable javascript vulnerability. Had to use process explorer to kill chrome.

Re:Got bit by this 2-wks ago at latimes.com

[aberglas]

I personally saw this one too. Had to kill Chrome. Wondered what other damage it was doing

The most important thing about a browser is how many features it has. The more the better. Real security would involve winding back HTML5 into something so simple that it could be understood and audited. Never going to happen. And we have come to accept that shipping insecure software and then patching as the bugs are found is the way software works. Nobody is ever upset that the bugs are shipped int the first place -- it is just a fact of our ever more complex lives.

I think that we have to accept that when visit a web site we are executing their code and therefor need to just trust that they will not do anything to our computers.

Re:Got bit by this 2-wks ago at latimes.com

Copy paste? Seriously? You don't use Open With? And you don't have uBlock Origin for Chrome?

Re:Got bit by this 2-wks ago at latimes.com

[andi75]

Let's see, it's either ctrl(or command)-l, ctrl-c, alt-tab-tab-tab, ctrl-l, ctrl-v, enter (six key combinations probably already commited to muscle memory), or installing yet-another-extension (and we already have too many of those to keep track of, don't need another one) AND taking your hands off the keyboard.

Re:Got bit by this 2-wks ago at latimes.com

Uh, the browser tracks the extensions for you. That's why we have computers in the first place. You are likely putting more effort into whining, complaining, and being regularly annoyed than the additional 2.5 MB storage and 500KB memory usage will ever affect you.

Re:Got bit by this 2-wks ago at latimes.com

[SQLGuru]

I typically run with two different "users" logged in to Chrome and I have each user on a different monitor. One user is for sites where I want to save credentials and the other is for sites I don't......harder for a site to use Facebook if it's running under a different Chrome session. Because I have two monitors, I've seen an attack similar to the one described in the article, but it was obvious because only one monitor got the "Operating System Error" message.

Re:Got bit by this 2-wks ago at latimes.com

[vandamme]

............... a reputable site like latimes.com ..........

Not so sure about that.

Same as the phone calls?

"This is Windows calling, your computer have virus". Those a-holes just don't give up.

The Best Bugs

Like any good bug, it starts with a brain freeze.

Re:The truth about 9/11

Stop it Donald, you are already president.

Re:The truth about 9/11

[lucien86]

Mod up parent. Funny. Never seem to have points when I need them, insane illogical stupid slashdot rating system...

But it's open source

Therefore it must be invulnerable to virus, malware and everything else!

Other abuses

[phorm]

Can this work for domains other than the one running the script? If so, this sounds pretty nasty, as not only could it be used for scammers, but to seed somebody's internet history with "bad" links. You want to incriminate somebody in viewing illegal images/downloads/etc, just seed their browser history.