Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks (bleepingcomputer.com)

Posted by EditorDavid on Saturday February 25, 2017 @06:34AM from the persistent-popups dept.

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

13 of 92 comments (clear)

Min score:

Reason:

Sort:

Re:Dump Microsoft by Anonymous Coward · 2017-02-25 06:48 · Score: 5, Funny

The S in Internet Explorer stands for security.
Fairly sure this can be done other ways... by Mitsoid · 2017-02-25 06:48 · Score: 2

Fairly sure this can be done other ways... Allakhazam (which has game info for many popular MMO's) auto-loads advertisements every few minutes, regardless of the users browser state.
My wife frequently walks away for 20+ minutes, only to have her computer randomly start playing an advertisement.. I suppose it isn't a "pop up", but clearly "auto refreshing for advertisement fraud" is possible and in use... And Allakhazam's method works on Firefox and Chrome from our experiences
this is why you disable javascript by default. by Anonymous Coward · 2017-02-25 07:04 · Score: 2, Insightful

Yes... other languages "could" have the same problem, and it's not the language per se that's the issue, but javscript is in the position where it's loaded from random malicious or semimalicious web sites and executed in your browser.
If you let that happen by default, after an endless fucking series of javascript based exploits and vulnerabilities and nagware and data-harvesting over the years.. at this point I no longer feel sorry for you. You're letting random strangers who do not mean you well control the operation of a not-well sandboxed environment on your computer, so you deserve what you get.
Running with javascript default-enabled is like letting any stranger in the world use your house for any purpose they want. Might be the an organization who saves orphan cancer victims from bear attacks, or might be drug cartels and human trafficking, or the Stasi planting recording devices. You're saying, "Hey, it's all good! Come on in, do what you want!"
I wager almost nobody would do that with their house, but somehow with computers people have decided that's a good plan. Then they wonder why they suffer from the endless series of problems they do.
I see the problem by ssufficool · 2017-02-25 07:18 · Score: 3, Informative

"new ActiveXObject('Microsoft.Ancient.Bad.Idea')" I think I've seen this exploit before. SMH. It's time to kill ActiveX in the browser already.
This is not really javascript's fault by SuperKendall · 2017-02-25 07:31 · Score: 4, Interesting

If this issue were a problem in Javascript it (or some variant) would work in a lot more browsers than just IE11.
But it's not. The bug here boils down to Microsoft adding an ActiveX call into Javascript, then that call activating some native HTML ActiveX component and using it in a super bad way.
That's not Javascript's fault, that's on Microsoft for punching such a large hole in the sandbox.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Oops, indeed :-( by ArsenneLupin · 2017-02-25 08:20 · Score: 2

Linux setuid sandbox allows local privilege escalation
Re:I wouldn't touch Google Chrome on Linux by ArsenneLupin · 2017-02-25 08:33 · Score: 3, Insightful

Chrome runs under the user id it was started from.
... and then proceeds by invoking a set-uid binary (that it conveniently set up at installation time) to become root:
# ls -ld /usr/lib/chromium/chrome-sandbox -rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox
Re:I wouldn't touch Google Chrome on Linux by Viol8 · 2017-02-25 08:35 · Score: 2

Quite. The fact that there are so many idiots on here who not only didn't know this but didn't know how to find out is quite staggering. Ubuntu has a lot to answer for IMO.
Re:I wouldn't touch Google Chrome on Linux by ArsenneLupin · 2017-02-25 08:38 · Score: 4, Informative

Nothing in Chrome requires a root user.
Unfortunately, it does, I didn't believe it myself at first...:
# ls -l /usr/lib/chromium/chrome-sandbox -rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox
Removing that s bit causes chromium to refuse to run:
> chromium [28193:28193:0225/213608.315538:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/chromium/chrome-sandbox is owned by root and has mode 4755. #0 0x564a04ba083e <unknown> #1 0x564a04bb4f7b <unknown> #2 0x564a05a0f4cf <unknown> #3 0x564a043f3def <unknown> #4 0x564a043f325e <unknown> #5 0x564a043f384e <unknown> #6 0x564a0408872c <unknown> #7 0x564a0409036d <unknown> #8 0x564a04087dcc <unknown> #9 0x564a0480764b <unknown> #10 0x564a04805fa0 <unknown> #11 0x564a033de1bc ChromeMain #12 0x7ff5074f5b45 __libc_start_main #13 0x564a033de069 zsh: abort chromium
Re:I wouldn't touch Google Chrome on Linux by lgw · 2017-02-25 09:38 · Score: 2

It silently self-escalates when it runs. Did you think Chrome wasn't a root kit? It's a browser built by an advertising company, why would you expect it to behave differently than weatherbug?

--
Socialism: a lie told by totalitarians and believed by fools.
Re:I wouldn't touch Google Chrome on Linux by chipschap · 2017-02-25 10:34 · Score: 2

Son of the gun. Verified on my system (under /opt/google/chrome).
Didn't know that. Kind of glad I switched to Vivaldi for most things.
Glad you pointed this out.
Re:I wouldn't touch Google Chrome on Linux by KingMotley · 2017-02-25 11:17 · Score: 2

To avoid the security issue of chrome on linux, I suggest you switch to internet explorer. I haven't heard of any exploits of internet explorer on linux yet.
Re:I wouldn't touch Google Chrome on Linux by tender-matser · 2017-02-26 08:48 · Score: 2

If I had installed it manually in my own directory, chances are, it would refuse to run (... as it would not be setuid root)
It will probably work if started with the "--no-sandbox" option (that's what I use with a "bleeding edge" chrome I've downloaded and installed as a regular user)
I usually run browsers as a separate user that is allowed onto the X11 server via xauth (this is more out of ritual cleanliness than security -- browsers leave around much dotfile spam and they also love to start a lot of dubious garbage I don't like, like pulseaudio and dbus).