Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

Dump Microsoft

You know it makes sense.
Mind you Google isn't that much better

Dump google
you know it makes sense.

Re:Dump Microsoft

The S in Internet Explorer stands for security.

Re: Dump Microsoft

[dougdonovan]

dont dump microsoft, they're job security.

Re: Dump Microsoft

Not for me. I'm retired and FREE of MS. Yay!

Re:Dump Microsoft

[cellocgw]

The S in Internet Explorer stands for security.

Shared to [$Social_Network_Site]

Stop reporting bugs?

[guardiangod]

there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports.

I don't see the author saying this anywhere in Caballero's article. Maybe the reporter at the news site (and the submitter) should have read the article first.

For what it is worth, Caballero is a respected browser security researcher. I don't think he would do something like this.

Re:Stop reporting bugs?

[guardiangod]

So I re-read the article, and here is the part he journalist was referring to-

In my opinion, some people at Microsoft do not care and they just do what they want, so phrases like âoeresponsible disclosureâ will ring in my mind when the âoeresponsible patchingâ ring in their minds. To be clear: I will keep sharing my findings for as long as MSRC keeps acting like an unreachable rock star.

Okay maybe the journalist meant that the researcher won't wait 60/120 days disclosure, which is still a far cry from not reporting bugs at all.

Re:Stop reporting bugs?

I believe what he's saying is that in the past, he's tried reporting these bugs to Microsoft, but Microsoft doesn't respond. So he decided to "go nuclear" by creating the BrokenBrowser website and releasing Edge/IE bugs as he finds them, instead of trying to report them to the black hole that is Microsoft.

Test result

[140Mandak262Jamuna]

Browser tested: Chrome.

1. Regular alert: Alert came up, second time. check marked it. Disappeared for ever.

2, 3, 4: htmlFile alert, all at once, in a zombie script: No effect, no popup, nothing.

Browser being tested: IE 11

no carrier

Re:Test result

Safari 10.0.3 on macOS 10.12.3:

1. Regular alert: Alert came up three times. No check mark box to disable.

2, 3, 4: no alerts at all. throws exception at doc = new ActiveXObject("htmlFile");, probably because Safari doesn't know what an ActiveXObject is. Sad. Many such cases.

Re:Test result

[mrbester]

IE for Mac knew what an ActiveXObject was. It then proceeded to crash spectacularly if you tried to instantiate one. The awesome was strong in the wastes of space that comprised the team that created that abortion.

Fairly sure this can be done other ways...

[Mitsoid]

Fairly sure this can be done other ways... Allakhazam (which has game info for many popular MMO's) auto-loads advertisements every few minutes, regardless of the users browser state.

My wife frequently walks away for 20+ minutes, only to have her computer randomly start playing an advertisement.. I suppose it isn't a "pop up", but clearly "auto refreshing for advertisement fraud" is possible and in use... And Allakhazam's method works on Firefox and Chrome from our experiences

Re:Fairly sure this can be done other ways...

[Mitsoid]

Fairly sure this can be done other ways... Allakhazam (which has game info for many popular MMO's) auto-loads advertisements every few minutes, regardless of the users browser state.

My wife frequently walks away for 20+ minutes, only to have her computer randomly start playing an advertisement.. I suppose it isn't a "pop up", but clearly "auto refreshing for advertisement fraud" is possible and in use... And Allakhazam's method works on Firefox and Chrome from our experiences

To clarify, Browser state being "on and at their website", but otherwise irrespective (minimized, not in focus, not interacted with for many minutes, etc.)

Re:Fairly sure this can be done other ways...

[lgw]

It's normal to have javascript running in the background when you're at a site. How else do you think Google knows how long you spent looking at any page on the Web or where your mouse pointer was millisecond-by-millisecond. This attack is special because it keeps happening after you navigate away from the site.

Just IE

[Locke2005]

Doesn't Chrome have the same problem? I've had to go into Task Manager and kill Chrome after getting the "You have a virus! Pay us money!" popup. (Have they fixed that in Chrome already?) My ex was stupid enough to actually call the phone number they put up on the screen, after which some Indian guy asked her for money.

Re:Just IE

[networkzombie]

I saw this last week so I doubt they have fixed it. It took over the screen and the only thing I could do was kill chrome via ctrl+alt+del. No defense. I had to tell the user to never go to that site (or their history), or use a browser with noscript, like SeaMonkey or Firefox. SeaMonkey with noscript and adblock has saved me a few headaches for users with chrome bloat issues due to too many tabs.

Re:Just IE

the correct term is "Alternative Indian" nowadays

Re:Just IE

[tepples]

My ex was stupid enough to actually call the phone number they put up on the screen, after which some Indian guy asked her for money.

And there are people on YouTube who mess with those scammers in India and screencap it: Lewis's Tech, Thunder Tech, Each&Everything, etc.

Re:Just IE

[slashrio]

The correct description would be "A person from India".

Will it die after killing the browser?

[140Mandak262Jamuna]

I hope the zombie script will die if the browser is killed? Or have clever people at Microsoft have implemented auto checkpoint and auto restore to make it even more persistent?

I wouldn't touch Google Chrome on Linux

[Viol8]

Chrome requires its sandbox process to run as root. Well not on my systems it isn't. Won't run? Tough , I'll just use one of the many alternatives then.

Apparently google thinks is code is 100% exploit and bug free and don't see an issue with having a user application requiring superuser priviledges. Utter morons. And anyone who says to me "but its not the browser, its the sandbox" obviously know the square root of fuck all about security so don't even bother me with your ignorant opinions.

Re:I wouldn't touch Google Chrome on Linux

[angel'o'sphere]

Chrome requires its sandbox process to run as root.
Chrome runs under the user id it was started from. No idea what you want to claim.

Re:I wouldn't touch Google Chrome on Linux

Chrome requires its sandbox process to run as root. ...

Wut?!?!?!

A statement like that doesn't deserve a better response.

Re:I wouldn't touch Google Chrome on Linux

[MightyMartian]

What the fuck are you talking about? Nothing in Chrome requires a root user.

Re:I wouldn't touch Google Chrome on Linux

[Viol8]

With morons like you people using linux now its no surprising exploits are increasing. Check the chrome_sandbox binary owner and setuid bit (know what that is? No? Look it up) then buy yourself a ticket on the cluetrain you clueless gimp.

Re:I wouldn't touch Google Chrome on Linux

Apparently you're incapable of understanding that the person who asserts an extraordinary claim is the one who is required to provide a citation.

Re:I wouldn't touch Google Chrome on Linux

[Ol+Olsoc]

So the chrome_sandbox binary being owned by root and having the setuid bit set is an "extraordinary claim" is it snowflake? No, its a fact. I don't need to cite anything. 5 seconds with google will tell you everything you need to know and if you're too bone idle to bother then thats your problem, not mine.

You're not supposed to drink espresso like it was cappuccino. But if you want to make claims and then not support them at the same time as you call anyone who disagrees with you morons, well, I think you might be better suited for Youtube comments. Edumacate peeps.

Re:I wouldn't touch Google Chrome on Linux

[Ol+Olsoc]

With morons like you people using linux now its no surprising exploits are increasing. Check the chrome_sandbox binary owner and setuid bit (know what that is? No? Look it up) then buy yourself a ticket on the cluetrain you clueless gimp.

Y so SRS?

Re:I wouldn't touch Google Chrome on Linux

[Viol8]

Thanks for proving my point in my original post about ignorant fools with no clue about security.

Newsflash: claims only need supporting if there's no way for 3rd parties to independently verify them. But here, especially for dumb special needs kids like you who can't use a search engine:

http://lmgtfy.com/?q=chrome_sa...

Re:I wouldn't touch Google Chrome on Linux

[ArsenneLupin]

Chrome runs under the user id it was started from.

... and then proceeds by invoking a set-uid binary (that it conveniently set up at installation time) to become root:

# ls -ld /usr/lib/chromium/chrome-sandbox
-rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

Re:I wouldn't touch Google Chrome on Linux

[Viol8]

Quite. The fact that there are so many idiots on here who not only didn't know this but didn't know how to find out is quite staggering. Ubuntu has a lot to answer for IMO.

Re:I wouldn't touch Google Chrome on Linux

[ArsenneLupin]

Nothing in Chrome requires a root user.

Unfortunately, it does, I didn't believe it myself at first...:
# ls -l /usr/lib/chromium/chrome-sandbox
-rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

Removing that s bit causes chromium to refuse to run:
> chromium
[28193:28193:0225/213608.315538:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/chromium/chrome-sandbox is owned by root and has mode 4755.
#0 0x564a04ba083e <unknown>
#1 0x564a04bb4f7b <unknown>
#2 0x564a05a0f4cf <unknown>
#3 0x564a043f3def <unknown>
#4 0x564a043f325e <unknown>
#5 0x564a043f384e <unknown>
#6 0x564a0408872c <unknown>
#7 0x564a0409036d <unknown>
#8 0x564a04087dcc <unknown>
#9 0x564a0480764b <unknown>
#10 0x564a04805fa0 <unknown>
#11 0x564a033de1bc ChromeMain
#12 0x7ff5074f5b45 __libc_start_main
#13 0x564a033de069

zsh: abort chromium

Re:I wouldn't touch Google Chrome on Linux

[Ol+Olsoc]

Thanks for proving my point in my original post about ignorant fools with no clue about security.

Oh do go on. I feed on your ranting.

Newsflash: claims only need supporting if there's no way for 3rd parties to independently verify them. But here, especially for dumb special needs kids like you who can't use a search engine:

http://lmgtfy.com/?q=chrome_sa...

Okay, it has been proven conclusively. You, our good Viol8, could have chosen to be anything you want, and for some reason you chose to be an asshole.

Because in the end, it doesn't matter whether you are right or wrong.

But please, do rant on. It's most entertaining, and might even do you some good to release all that pent up anger. Thanks for the Lulz.

Re:I wouldn't touch Google Chrome on Linux

[lgw]

It silently self-escalates when it runs. Did you think Chrome wasn't a root kit? It's a browser built by an advertising company, why would you expect it to behave differently than weatherbug?

Re:I wouldn't touch Google Chrome on Linux

[chipschap]

Son of the gun. Verified on my system (under /opt/google/chrome).

Didn't know that. Kind of glad I switched to Vivaldi for most things.

Glad you pointed this out.

Re:I wouldn't touch Google Chrome on Linux

> Ubuntu has a lot to answer for IMO.

$ ls -ld /bin/ping
-rwsr-xr-x 1 root root 60288 Jun 15 2016 /bin/ping

UBUNTU HAS A LOT TO ANSWER FOR! WHAT'S THAT SUID ROOT BINARY DOING ON MY SYSTEM?!?

From another comment in this thread:

> Removing that s bit causes chromium to refuse to run:

If and only if your system's kernel isn't configured with USER_NS (and that kernel isn't using GrSecurity), and Chrome is sufficiently new.

Just like setting up a proper chroot or binding to ports lower than 1024, it's (intentionally) impossible to set up a serious sandbox without having root privs.

Anyway.

You're talking about using software that has access to your keystrokes, mouse movements and clicks, the plaintext of your TLS sessions. It also controls the layout and placement of the content that it's presented. The majority of PC-using Americans do pretty much everything in their web browsers. If Google were malicious, they'd be able to get all the data they'd ever want without ever touching root privs.

Re:I wouldn't touch Google Chrome on Linux

[KingMotley]

To avoid the security issue of chrome on linux, I suggest you switch to internet explorer. I haven't heard of any exploits of internet explorer on linux yet.

Re:I wouldn't touch Google Chrome on Linux

I learned a couple of things today from this thread. I learned that yes, in fact, Chrome does have a forehead-slappingly stupid requirement for root access, and I understood for the first time what the term "useful idiot" means.

So, thanks for those two insights.

Re:I wouldn't touch Google Chrome on Linux

[NetCow]

Yeah, about that... You might want to take a look at /opt/vivaldi/vivaldi-sandbox, then.

Re:I wouldn't touch Google Chrome on Linux

[chipschap]

Yes, just discovered that too (about Vivaldi).... not pleasant at all.

What's left? Firefox? Save me from that... maybe Pale Moon is worth another look.

Re:I wouldn't touch Google Chrome on Linux

> Removing that s bit causes chromium to refuse to run:

ENOREPRO

ls -ld /usr/lib/chromium-browser/chromium-browser
-rwxr-xr-x 1 root root 46008184 Dec 17 09:05 /usr/lib/chromium-browser/chromium-browser
$ ls -ld /usr/lib/chromium-browser/chrome-sandbox
-r-xr-xr-x 1 root root 14296 Dec 17 09:05 /usr/lib/chromium-browser/chrome-sandbox
$ lsb_release -irc
Distributor ID: Ubuntu
Release: 16.10
Codename: yakkety
$ apt search chromium-browser
Sorting... Done
Full Text Search... Done
chromium-browser/yakkety-security,yakkety-updates,now 55.0.2883.87-0ubuntu1.16.10.1330 amd64 [installed]
    Chromium web browser, open-source version of Chrome

    chromium-browser-l10n/yakkety-security,yakkety-security,yakkety-updates,yakkety-updates,now 55.0.2883.87-0ubuntu1.16.10.1330 all [installed,automatic]
        chromium-browser language packages

about://sandbox reports:

Sandbox Status

SUID Sandbox No
Namespace Sandbox Yes
PID namespaces Yes
Network namespaces Yes
Seccomp-BPF sandbox Yes
Seccomp-BPF sandbox supports TSYNC Yes
Yama LSM enforcing Yes
You are adequately sandboxed.

Mods, mod me up to +5, Insightful, too.

Re:I wouldn't touch Google Chrome on Linux

[donaldm]

Chrome runs under the user id it was started from.

... and then proceeds by invoking a set-uid binary (that it conveniently set up at installation time) to become root:

# ls -ld /usr/lib/chromium/chrome-sandbox -rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

On my machine (Fedora 25):
> ls -ld /usr/lib/chromium/chrome-sandbox
ls: cannot access '/usr/lib/chromium/chrome-sandbox': No such file or directory

I do run Chrome, Firefox, Konqueror and QupZilla. I can run any browser I want except IE unless I am stupid enough to run a virtual machine with Microsoft Windows although to be fair Windows 10 does not run IE but it only pays attention to the "hosts" file when it suits itself to do so.

Re:I wouldn't touch Google Chrome on Linux

[ArsenneLupin]

Ubuntu has a lot to answer for IMO.

Actually, this is a Debian system where I saw this... And one Anonymous Coward claims that on his Ubuntu 16.10 system, Chromium doesn't have the bug. So let's be careful who deserves the blame here... my hunch is that it's google itself, rather than the distro.

Re:I wouldn't touch Google Chrome on Linux

[ArsenneLupin]

On my machine (Fedora 25):
> ls -ld /usr/lib/chromium/chrome-sandbox
ls: cannot access '/usr/lib/chromium/chrome-sandbox': No such file or directory

Careful there, the offending binary might just be called something else (chrome instead of chromium, in /usr/local/lib instead of /usr/lib), etc.

Just try locate sandbox, or rpm -q -l chromium | xargs ls -ld | egrep '^-..s' to be sure...

Re:I wouldn't touch Google Chrome on Linux

[ArsenneLupin]

$ ls -ld /bin/ping
-rwsr-xr-x 1 root root 60288 Jun 15 2016 /bin/ping

Not on my Debian:

> ls -ld /bin/ping
-rwxr-xr-x 1 root root 44104 Nov 8 2014 /bin/ping

You're talking about using software that has access to your keystrokes, mouse movements and clicks,

Only its own (although I wouldn't trust most distros' X setups to appropriately protect applications from each other in that regard, but that's another peeve...).

the plaintext of your TLS sessions.

Again, only their own. As long as I use Firefox for the serious stuff, and chromium only for browsing Javascript infested thrashcan sites my TLS sessions (from Firefox) would still be safe. But with this bug... not so sure.

It also controls the layout and placement of the content that it's presented. The majority of PC-using Americans do pretty much everything in their web browsers.

This is not about the computers of the trump voters (these would use IE 11 on Windows anyways...), but about the computers of more tech-savvy users who just wouldn't expect something like this.

If Google were malicious, they'd be able to get all the data they'd ever want without ever touching root privs.

Not malicious, just callous. Rechklessly allowing third parties (shady sites packed full of Javascripts) to leverage that hole to get admin on victim's computer.

Re:I wouldn't touch Google Chrome on Linux

We choose to be assholes because idiots like you need to be spoonfed information instead of exercising your fucking brains.

Re:I wouldn't touch Google Chrome on Linux

Wrong.

This is proven just by ripping apart the Chrome package in Android.

Re:I wouldn't touch Google Chrome on Linux

It really surprises me, and I'm also surprised by how many other people don't know that.
At least on Windows, if something wants to run as admin, I have to elevate it.
Although maybe if Chrome is pre-installed in your Linux image it would be as invisible as pre-installed Windows services.

Re:I wouldn't touch Google Chrome on Linux

opera 12

Re:I wouldn't touch Google Chrome on Linux

[angel'o'sphere]

I guess that is more a problem of the installation process than any 'necessity' ... if you know that, why don't you remove the s bit?

And how can it be that the user and groop is root anyway? I guess you installed Chrome as root, so the mistake is just yours.

Re:I wouldn't touch Google Chrome on Linux

[ArsenneLupin]

I guess that is more a problem of the installation process than any 'necessity' ... if you know that, why don't you remove the s bit?

Have you stopped beating your wife? :-)

Well, as stated in my other message, if I remove the s bit Chromium will refuse to start.

And how can it be that the user and groop is root anyway?

Most software belongs to root... (have you actually ever looked at any software on your own system, or are you just trolling?)

I guess you installed Chrome as root

In this case, I trusted my distribution, and installed the .deb from repository.

so the mistake is just yours.

If I had installed it manually in my own directory, chances are, it would refuse to run (... as it would not be setuid root)

Re:I wouldn't touch Google Chrome on Linux

[angel'o'sphere]

The software belongs to the one who is installing it.
And that is in 99& of the cases: not 'root'.

There is a reason why you have /usr/bin ...

And we where talking about Chrome, not Chromium, or do I miss anything?
Anyway: I'm on a mac and don't "install" software. I drag&drop it from the installation medium to my Applications folder: hence it has no S bit, is running with my rights and not with anyone else rights.

Sorry, if that applications needs s-bit as root to run: delete it.

Re:I wouldn't touch Google Chrome on Linux

[ArsenneLupin]

And we where talking about Chrome, not Chromium, or do I miss anything?

In my case it's Chromium (hence nicely packaged as a .deb), but the original poster observed the same thing about Chrome. That it also happens with Chromium on some distributions is worrisome: Chromium is supposed to be repackaged, so that the distributor can remove such shenanigans. Ubuntu managed to do that (in 16.10). Debian, unfortunately, didn't.

Sorry, if that applications needs s-bit as root to run: delete it.

Which is what ended up doing...

And I would have done it much earlier had I known (suspected) this. And in order give other people, who might still be as unsuspecting as I am, a heads up, I'm talking about it.

Re:I wouldn't touch Google Chrome on Linux

[tender-matser]

If I had installed it manually in my own directory, chances are, it would refuse to run (... as it would not be setuid root)

It will probably work if started with the "--no-sandbox" option (that's what I use with a "bleeding edge" chrome I've downloaded and installed as a regular user)

I usually run browsers as a separate user that is allowed onto the X11 server via xauth (this is more out of ritual cleanliness than security -- browsers leave around much dotfile spam and they also love to start a lot of dubious garbage I don't like, like pulseaudio and dbus).

Re: I wouldn't touch Google Chrome on Linux

You missed the point. It's not whether you think Google is acting malicious, it's that no software is perfect and that WHEN someone else takes advantage of a Chrome zero day, they'll get root permission instead of limited to user permissions.

It's like when they say not to leave car registration info in vehicle because if its stolen, the thieves have your home address and then can do even more nefarious shit.

Re:I wouldn't touch Google Chrome on Linux

> Not on my Debian:

I thought you were using Ubuntu a minute ago. What happened?

To you and the equally clueless AC:

> Rechklessly (sic) allowing third parties (shady sites packed full of Javascripts) to leverage that hole to get admin on victim's computer.

and:

> WHEN someone else takes advantage of a Chrome zero day, they'll get root permission instead of limited to user permissions.

$ chromium-browser &> /dev/null &
[1] 7723
$ google-chrome &> /dev/null &
[2] 8007
$ pgrep sandbox | wc -l
0
$

chromium-sandbox runs, does its work, and terminates. It's not a daemon.

Maybe my google-fu is weak, but I haven't found any evidence of a Chrome sandbox fault that grants you root privs. Believe it or not, if you're careful, it's not difficult to write code that runs as setuid root and drops privs looooooong before you do anything other than call privileged system setup code. (And the Chrome security guys are nothing if not careful.)

We don't freak out about the fact that Apache starts at root and pivots to another user, because it does just what's required and setuid's to some less privved user. Given its track record, the only real reason to freak out about Chrome's sandbox executable is to spread anti-Google FUD.

Here's the bulk of the code for the setuid Chrome sandbox:

https://chromium.googlesource.com/chromium/chromium/+/master/sandbox/linux/suid/sandbox.c

lemmy know if you see anything concerning. Make careful note of the inputs for each function, and which of those inputs are user-controlled, rather than controlled by the sandbox process.

> >You're talking about using software that has access to your keystrokes, mouse movements and clicks,
> Only its own...

Unless you've gone to the trouble to run each X11 client in its own server (and are doing some sort of forwarding from that server to a master server), then _all_ X11 clients have access to keystrokes and (I'm pretty sure) mouse movements. (And I'm not entirely sure that that would work as desired.) Things like pinentry make a valiant attempt to prevent this, but they fail against an even vaguely determined attacker.

Re:I wouldn't touch Google Chrome on Linux

> And one Anonymous Coward [slashdot.org] claims that on his Ubuntu 16.10 system, Chromium doesn't have the bug.

Hi. I'm that AC.

You're going to be blown away here, but User Namespaces give root privs to anything run inside them.

I'll give you a minute to process that. Go on, take a minute.

User Namespaces also attempt to contain those processes inside a kernel sandbox. Namespaces are fairly solid, but there have been some Namespace escapes (and subsequent priv escalations) in the past. So, unlike vanilla kernels, the GrSecurity kernels require CAP_SYS_ADMIN to use User Namespaces. The GrSecurity people are concerned about what they believe to be the large attack surface exposed by User Namespaces. This -of course- makes User Namespaces more or less redundant on GrSecurity systems, but what can you do?

It's not a bug to require root privs to perform privileged operations. chroot(2) and friends require root privs. You need chroot(2) and friends to set up a sandbox on Linux. These are unavoidable facts of life on Linux systems. Hyperventilating about things and misattributing the blame doesn't convert people to your cause. It just makes you look poorly-informed.

Re: I wouldn't touch Google Chrome on Linux

UAC in its default configuration can be bypassed without user interaction.

Re:I wouldn't touch Google Chrome on Linux

[angel'o'sphere]

Perhaps time to put every application into its own VM, sigh.

this is why you disable javascript by default.

Yes... other languages "could" have the same problem, and it's not the language per se that's the issue, but javscript is in the position where it's loaded from random malicious or semimalicious web sites and executed in your browser.

If you let that happen by default, after an endless fucking series of javascript based exploits and vulnerabilities and nagware and data-harvesting over the years.. at this point I no longer feel sorry for you. You're letting random strangers who do not mean you well control the operation of a not-well sandboxed environment on your computer, so you deserve what you get.

Running with javascript default-enabled is like letting any stranger in the world use your house for any purpose they want. Might be the an organization who saves orphan cancer victims from bear attacks, or might be drug cartels and human trafficking, or the Stasi planting recording devices. You're saying, "Hey, it's all good! Come on in, do what you want!"

I wager almost nobody would do that with their house, but somehow with computers people have decided that's a good plan. Then they wonder why they suffer from the endless series of problems they do.

Re:this is why you disable javascript by default.

[jbmartin6]

I've felt this way since the early days of getting caught in an endless 'on exit' loop. Oh wait, that's not the early days, that's TODAY, even in Chrome. Why is this even possible in the first place?

Internet Explorer is abandonware

No major version since 2013, dumped by Microsoft for Edge. Only corporate web apps still need IE, the rest of the web should move on and drop support for IE.

Re:Internet Explorer is abandonware

[Billly+Gates]

Unfortunately, IE is far from dead and is mandated by many corporate users and is used by Grandma.

MS needs to secure it as long as it's part of 8/10. Yes IE 11 is part of 10 in addition to edge if you look for it. Corporations use a GPO to put IE 11 over edge at work

I see the problem

[ssufficool]

"new ActiveXObject('Microsoft.Ancient.Bad.Idea')" I think I've seen this exploit before. SMH. It's time to kill ActiveX in the browser already.

This is not really javascript's fault

[SuperKendall]

If this issue were a problem in Javascript it (or some variant) would work in a lot more browsers than just IE11.

But it's not. The bug here boils down to Microsoft adding an ActiveX call into Javascript, then that call activating some native HTML ActiveX component and using it in a super bad way.

That's not Javascript's fault, that's on Microsoft for punching such a large hole in the sandbox.

Re:This is not really javascript's fault

If this issue were a problem in Javascript it (or some variant) would work in a lot more browsers than just IE11.

But it's not. The bug here boils down to Microsoft adding an ActiveX call into Javascript, then that call activating some native HTML ActiveX component and using it in a super bad way.

That's not Javascript's fault, that's on Microsoft for punching such a large hole in the sandbox.

Yes, but since we can't see all of those invisible holes in the Javascript interpreter engines, and it's our personal data at risk, why take the chance?

Javascript has been the core hook/mechanism of action of 90% of malware. Yes, I made up 90% but I'd bet it's close.

The only safe ways to browse with Javascript ON are: 1) run browser in a containerized disposable OS instance, or 2) an isolated machine with a disposable OS image, behind a strong firewall separating the machine from the rest of your LAN. (as I browse with javascript on but with several blockers / limiters...)

Re:This is not really javascript's fault

If this issue were a problem in Javascript it (or some variant) would work in a lot more browsers than just IE11.

Yes, but in all or almost all cases it is javascript that exposes the vulnerabilities to the outside attacker.

It drastically increase your attack surface.

Notify Users

Microsoft should promptly notify IE11 users ... both of them

Turn off Java. Don't open docx docs

[Joe+Branya]

If any outsider can install and run a program on your computer it is no longer your computer. Javascript is such a program. So is the permission to open a Microsoft docx document. In a corporate environment there is usually a guard dog to protect you. In a home Windows, Apple or Unix-based system you are on your own. If you leave the keys to your car in the ignition don't be surprised if someone takes it for a ride.

Make your own decision.

Go use Edge/Windows 10

[Billly+Gates]

That way we can track you with an advertiser ID in a feeble way to sell apps on the appstore and actual think this will get people to buy Windows Phone?

Why fix it? This is great scareware to get PHB IT managers to upgrade and leave perfectly working 7 behind.

The fix is easy...

Stop using a shit OS.

Re:The fix is easy...

OS X wasn't always shitty. :(

Oops, indeed :-(

[ArsenneLupin]

Linux setuid sandbox allows local privilege escalation

Re:Turn off Java. Don't open docx docs

Java and Javascript are not the same thing. They're similar in many ways, but Javascript is usually interpreted/run directly by a Javascript interpreter/engine in the web browser.

Java is run by a separate interpreter/engine which can have browser plugins, so Java code can be run from within html. Java apps can run without a browser- directly in the OS's GUI.

Not a bug

Caballero just discovered another hidden feature. Won't be fixed of course, because it is (an evil) feature for three letter agencies and not a bug. I am lucky I don't have IE11, can't install that one so I am stuck with IE6 on my XP

captcha: mindful

Re:Not a bug

oh yeah, blame it on the NSA as usual... not sloppy devs... NSA...

What should convince a user to enable JS?

[tepples]

Running with javascript default-enabled is like letting any stranger in the world use your house for any purpose they want.

If most people change the default to no JS, what steps should a developer of a web application take to convince prospective users that the web application is legitimate? Or should all applications instead be native and therefore specific to a single operating system?

Re:What should convince a user to enable JS?

[michael_wojcik]

If most people change the default to no JS, what steps should a developer of a web application take to convince prospective users that the web application is legitimate?

A good start is designing them so they degrade gracefully and remain usable when scripting is disabled.

Re:What should convince a user to enable JS?

[tepples]

How would, say, a web-based image editing application "degrade gracefully and remain usable when scripting is disabled"? The only way I can see to make it remotely usable without script is to make the image that the user is editing into a server-side image map, with a full page reload for each click, and requiring the user to click multiple times along a curve to draw it instead of being able to drag. How is that "gracefully"?

Likewise for a web-based front end to a chat room. The user would have to keep clicking "check for new messages", after which the server would have to retransmit even those messages that had already been transmitted to the user's browser.

Re:What should convince a user to enable JS?

[michael_wojcik]

How would, say, a web-based image editing application "degrade gracefully and remain usable when scripting is disabled"?

Gosh, thinking is hard, isn't it?

For a start, it could display the image with text indicating why other functionality requires scripting. It could give the user the option to download the image (yes, present in the browser already; doesn't mean you can't improve the UX with an explicit link, which of course only requires HTML), edit it offline in the tool of their choice, and upload it again (which only requires an HTML form).

In any case, the existence of a small subset of "web applications" that require scripting to do anything useful does not relieve all the other fucking sites of the obligation to degrade gracefully. And even those that really do need scripting can do a much better job of explaining why.

Likewise for a web-based front end to a chat room.

Oh, you kids! We had those before Javascript was invented. Somehow we survived.

The user would have to keep clicking "check for new messages",

Horrors! God forbid anyone manually update messages. We used to do that back in the day, too, and the casualties were unimaginable.

Perhaps the vast majority of your users are unwilling? Fine, they can enable scripting. No reason not to let those who don't want scripting have the manual mechanism.

Oh, and then there's the HTTP Refresh header. Whoops - problem solved after all.

after which the server would have to retransmit even those messages that had already been transmitted to the user's browser.

Again, horrors! I can't download 10KB of text - I need that bandwidth for the 10MB of pointless images.

HTML iframe element. Fucking pages. (HTTP range requests would be nice, but existing browser UAs aren't smart enough to use them.) All of which can be served only to people who have scripting disabled (or, better, to people who have scripting disabled, or people who explicitly ask for the manual interface).

I know. So difficult! Why, it's almost like real programming.

Turn off Java, JS, Flash, and SL. Don't open docx

[tepples]

Java and Javascript are not the same thing.

I think Joe Branya would recommend turning them both off, as well as Flash and Silverlight.

MS needs to port edge to all Windows

See my subject: I'm an avid Opera 12.18 64-bit user. It does the job for MOST everywhere I go except outlook.com (which forces me to use IE 11) - what I cannot STAND is how SLOW IE 11 is!

* I mean it - in comparison to Opera (the last REAL Opera, not "Chopera") it's DOG slow AND doesn't have all the features Opera does natively (not by a long shot - no browsers really do to this day minus addons).

I could see saying that if say, Opera was a DOS window/tty term app with no GUI overheads vs. IE in GUI - that I can understand where slowups occur & it's not comparing apples to apples either (GUI has way, Way, WAY more overheads than character mode apps do).

It's been PATCH after PATCH for decades now in IE which is probably contributing to that slowness & did it solve anything? Bugs keep popping up!

Personally? Javascript is the ROOT of all slow & bugs imo. It's junk & I cannot understand HOW it took over CGI bin/WinCGI which imo was a LOT safer & iirc, run server-side (instead of raising my powerbill via cpu overuse clientside here & infecting us users too).

APK

P.S.=> I don't have or use Win10, but folks that DO use it tell me Edge IS FASTER than IE by far... & imo, what keeps IE alive is the fact it TRULY IS the most flexible programmable browser there is for INTRANET usage (I will give it that) imo... apk

Would they even fix it?

[SeaFox]

Internet Explorer 11 requires Windows 7 SP1 for higher. Microsoft would be quick to point out that that have offered free upgrades to Windows 10, featuring their new, more secure Edge browser, for over a year now.

Re:Would they even fix it?

[jaa101]

Is there a Microsoft-approved way of removing IE 11 from Win 10?

Re: Would they even fix it?

Server and embedded 8 is stuck on IE10

noscript

[0111+1110]

This is why everyone should be running Noscript. Javascript is a major security risk and should only be run on sites you completely trust 100%. Even then it is the most likely vector for viruses and malware.

the researcher has decided to stop reporting

[tomxor]

the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports

Yeah, I can empathise... MS have some really shitty strategies for dealing with bug reports, although I don't post security bugs my experience is:

1. 1. Copy paste replies
2. 2. usually marked as "wont fix" cos "only affects some users", (even though it affects everyone)
3. 3. Contrive ways to not reproduce it and close it because "does not work on some specific build on a specific combination of hardware and OS"

I know that closed source has less resources but a) don't be fucking closed source then and b) don't use underhanded techniques to reduce your bug count because it will just piss everyone off.