Slashdot Mirror
Google Fixes Chrome 'Evil Cursor' Bug Abused by Tech Support Scam Sites (zdnet.com)
Google has patched a Chrome bug that was being abused in the wild by tech support scammers to create artificial mouse cursors and lock users inside browser pages by preventing them from closing and leaving browser tabs. From a report: The trick was first spotted in September 2018 by Malwarebytes analyst Jerome Segura. Called an "evil cursor," it relied on using a custom image to replace the operating system's standard mouse cursor graphic. A criminal group that Malwarebytes called Partnerstroka operated by switching the standard OS 32-by-32 pixels mouse cursor with one of 128 or 256 pixels in size. A normal cursor would still appear on screen, but in the corner of a bigger transparent bounding box. [...] The "evil cursor" fix is currently live for Google Canary users, and is scheduled to land in the Chrome 75 stable branch, to be released later this spring.
I'm so happy that Chrome is the new Internet Explorer. Looks at all of the great reasons to use Chrome.
So, what useful feature was this meant to support?
We live in a world where it has been well known the web is full of malicious actors for 20 years. So why is it we keep making browsers able to do more and more stupid shit which cause problems?
Sorry, but I'm already using blockers to block the third party assholes, scripts, cookies, web-bugs, and the countless list of assholes and parasites I don't want as part of my browsing experience.
Why the hell are we letting a fucking browser change the OS cursor again?
Oh, wait, it's in Chrome, I'm sure the assholes in marketing had some useless shiny bullshit in mind.
Sorry, it's bullshit like this why I don't let most sites run scripts, and the third parties who add nothing to the page experience get blocked -- it's impossible to know which are merely greedy assholes, and which are malicious assholes so the only solution is block them all.
Repeat it after me: Do not run random unknown and untrusted scripts by default.
Time after time after time we see the same story. Vulnerability after vulnerability is exploited, malicious behavior after malicious behavior, blocking cut and paste, blocking back buttons, delivering malware, demonstrated attacks against Spectre and Meltdown, scraping data you didn't want scraped, annoy-ware, auto-playing audios, auto-playing videos, it's literally a weekly event that we see some new form of shitware delivered by Javascript from some weird domain as one of the hundred or more used by some site.
JUST SAY NO.
Running scripts given to you by sources who do not have your interests in mind is idiotic. It was not a good idea when it started, and it is not a good idea now.
How much shit-ware do we need, before we learn that giving such a massive attack surface to any of a hundred random domains used by some site you connect to is not a good idea? How much malware packaged up with ads? Why would you allow some random ad from some unknown source to run code on your system?
Turn that shit off. It's time.
But Anonymous Coward! The web is broken like that!!one! Partially, but only because all of you idiots with JS enabled by default taught those sites that you would happily do anything they wanted you to do. If they said "jump" you asked "how high sir?"
But Anonymous Coward! I need to use JS to give you my crapware! I don't care. It's my computer, and I will decide what it does. Not you.
It's time to start teaching them the opposite lesson. Turn it off. If a site is broken that way when all it had to do was show you some text and pictures, or link to a video or two, that site was not your friend.
I'm getting real sorely tempted to save this message and paste it in every time we hear of Yet Another Malicious Use Of Web Delivered Scripts.
AC out.
How do you know when you're at a resizable corner of an object? Your cursor changes
Ideally, one of the following would be the case:
A. The user hasn't yet whitelisted JavaScript on the domain and therefore the site neither knows nor cares where the user is "at".
B. The user has whitelisted JavaScript on the domain but not site-supplied cursor images. The site changes the cursor to a system-defined resize cursor, not an image supplied by the site.
C. The user has whitelisted cursor theming for this site. This would rarely happen except for games.
Ok Google now please stop advertising those scams!
It's time to start teaching them the opposite lesson. Turn it off. If a site is broken that way when all it had to do was show you some text and pictures, or link to a video or two, that site was not your friend.
Without script, how would an HTML document representing a chat channel pull in new messages? As far as I can tell, it'd need to rely on an iframe that sends <meta http-equiv="refresh" content="10;url=http://example.com/" /> which would cause an annoying flash every 10 seconds as the entire message pane reloads from scratch.
Or would you instead prefer that the website offer a companion native app? Some sites do, but rarely for all relevant platforms (Windows, macOS, X11/Linux AMD64, X11/Linux ARM, iOS, and Android). And even on platforms where the companion native app is available, it's rarely RAM-efficient; I measured the Electron-based Skype for Linux app as using over 500 MB of RAM.
Or would you instead prefer that the website offer service using a standard protocol, such as IRC, to which the user can connect using an existing native application that the user can easily obtain for all major platforms? Limits of the IRC protocol include no avatar images, no chat history (even if a channel wants to use it), no sending files from a device behind NAT, and no reactions to a message.
Have these people not heard of ALT-F4? CTRL-W? CTRL-SHIFT-ESC? ALT-M? ALT-D?
I mean pretty much any random combination of key presses will get you out.
Reminds me of the good old days when we used to replace the cursor with a 1 pixel dot on the school computers.
did you see rabbi shmuley's full page ad?
why would henry ford and ilhan omar agree on the nature of jews... other than because they see the same thing, aka the truth?
the goyim know~!
"...and lock users inside browser pages by preventing them from closing and leaving browser tabs."
Ummm, is it soooo hard to use CTRL-F4 to close a tab on Windows or Linux?
Locked in a browser tab, oh noes! So scary.
Just cruising through this digital world at 33 1/3 rpm...
There's de-maximizing the application to increase cursor mobility, using the tab-element context menu to close a tab, or for really clever people, using the Windows keyboard-shortcut to close a tab. Why is a custom cursor allowed on a Windows UI element? That's the problem, how about unloading a custom cursor when it leaves the client area?
Hey, Google,
How about fixing the "You have become a massively Evil company" problem.
Google is the new Microsoft.
I agree that custom cursors are a very useful feature. But if I understand this correctly, web pages could previously change the cursor shown when hovering over the Googlechrome chrome, i.e. addressbar, tabs, scrollbar, borders and alerts. I thought for a webpage to change the browser UI (outside the content pane) is a big no-no. Does the CSS spec really call for this?
Now fix android. That evil cursor keeps jumping around when I type, adding letters, deleting entire words, before slowing down excruciatingly and spitting out a handful of letters as I wait for it to catch up to my typing.
What the fuck Google, this is very basic input
Where can I get me some of those extra-large cursors the article is referring to?
I have a 4K monitor, and while I run it without rescaling anything, sometimes I find myself searching for the cursor (which could very well be on one of my secondary monitors), and wouldn't mind a larger one. I realize rescaling to 125, 150 or even 200% would take care of that, but that would resize *everything*. I just need larger than 32x32 cursors.