Google Goes On Offensive vs. JavaScript Attacks 108
alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months.
Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript.
'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."
JS in email text? (Score:5, Insightful)
User should just have an option to execute or not JS in the email text. Problem solved.
Re:JS in email text? (Score:5, Insightful)
JavaScript needs to go. (Score:1, Insightful)
JavaScript has long outlived its usefulness. If the trend is to write large-scale applications targeting the browser, we should at least do it with a real programming language, not a half-baked scripting language that was stuck into Netscape Navigator as a hack 15 years ago.
Google, Opera, Apple and Mozilla need to get languages like Python, Ruby, Scheme and Erlang available in the browser. You know, real languages with the features necessary to write larger and more secure applications. We should stop jerking around with JavaScript, a rather pathetic scripting language that has been pushed far past what it was ever intended to handle.
Who the F*** has javascript turned on their mail? (Score:4, Insightful)
Like, wow... just wow.
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?
Re:Who the F*** has javascript turned on their mai (Score:3, Insightful)
WTF? (Score:1, Insightful)
If your email client even knows how to execute Javascript (let alone makes decisions about whose scripts to trust and whose not to), then you're doing something wrong.
What's next, are people going to start building javascript interpreters into grub, iwconfig, pvcreate and ionice?
Re:Who the F*** has javascript turned on their mai (Score:5, Insightful)
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
As always, this sentiment annoys me.
Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?
Disable active content already! (Score:1, Insightful)
It's what I keep repeating time and again. Active content (Javascript, Flash, Java, ActiveX (ick!) is a very bad idea in a browser (an even worse idea in a mail reader). It's like having a gullible ward at the front door, willing to execute whatever instructions a complete stranger gives them.
Fuck "rich web experience". Rich means here "rich in exploits", nothing else.
And every "sandbox", "security container", whatnot -- just leads to a "Gödel, Escher, Bach"-style arms race [wikipedia.org].
I have a dream. That people understand the Internet as a means of conveying useful information, not "rich", "web", "experiences" or whatever incongruent marketeer's bable is "in" these days.
Lawn and that.
I'm still waiting for... (Score:3, Insightful)
...an effective attack vector against mutt.
plain text (Score:4, Insightful)
Re:Don't want to post OT but... (Score:4, Insightful)
Going outside doesn't really help : plenty of ads there , and adblock doesn't work on them .