Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Google Security Technology

Google Goes On Offensive vs. JavaScript Attacks 108

Posted by CmdrTaco
from the isn't-most-javascript-offensive dept.
alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months. Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript. 'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."
This discussion has been archived. No new comments can be posted.

Google Goes On Offensive vs. JavaScript Attacks

Comments Filter:
  • JS in email text? (Score:5, Insightful)

    by mapkinase (958129) on Tuesday July 20, 2010 @11:30AM (#32966190) Homepage Journal

    User should just have an option to execute or not JS in the email text. Problem solved.

    • by yincrash (854885) on Tuesday July 20, 2010 @11:35AM (#32966288)
      What legitimate reason is there to accept JS? Your friend isn't going to send you javascript, and a mailing list that uses HTML still has to cater to as many clients as possible which means they still use tables for layout.
    • Computers prompting user action in order to compute is never going to be the solution.
      • Computers prompting user action in order to compute is never going to be the solution.

        That's funny, ClickToFlash works well for me. If the desired default action is to not waste time/resources computing, it makes a lot of sense to require user input to enable something. Same goes for attachments in my mobile mail client - I click on them when I want to see them, otherwise, they're left un-downloaded.

        In the case of javascript in emails, you'd have to think of a very good reason to make it worthwhile for me to turn it on - the attack surface opened up is just too great to justify having it on

    • Google doesn't want to execute JS in emails, and never did. Nobody should (nor does) allow JS in email afaik. The problem is the JS is executing *anyway*, despite Google's filters. They found a crack in the filtering and are exploiting it; not because *gmail* executes javascript but because *your browser* does.

      Such an option would make email more vulnerable, not less, since some people would set it to "execute", when everyone should be "don't execute".

      • Exactly. The real problem is turning a browser into an email reading program. That's the downside of going from native apps for everything to the-browser-is-the-OS type thinking. It's only going to get worse.
    • by yuhong (1378501)
      For example, OE can set HTML to execute in Restricted Zone, and I think it has been the default since 2002. And it not only disables JS, but also other nasty stuff too like I think ActiveX controls.
    • by yuna49 (905461)

      MailScanner [mailscanner.info] has had the option of "disarming" scripts in email for years now.

      Allowing scripts in email messages is as bad as allowing them in advertisements [slashdot.org] on web sites.

  • ...could this site have *any* more ads? Good lord, 15 seconds and there have already been THREE inline popup ads and a redirect ad, in addition to all the crap surrounding the article.
    • Re: (Score:3, Funny)

      Well, it is a story about Google. =P
    • Re: (Score:3, Funny)

      by Anonymous Coward

      Don't worry, you were completely on topic, even if you didn't know it. The topic is disabling javascript to prevent bad things on the Internet.

    • This story is aimed at people who already use NoScript, so thats why they don't feel bad about layering them in there.

    • by guruevi (827432)

      I think you might have some more issues with your computer then. I have never seen any intrusive ads on Slashdot, definitely no popup ads. Actually, at this point I don't have any ads.

    • by selven (1556643)

      You could try any of the following:

      1) Check the "disable advertising" box on the main page
      2) Adblock (I heard the Chrome one got a lot better very recently)
      3) Privoxy
      4) Lynx, wget, etc.
      5) Go outside for a change

    • by mcgrew (92797) *

      I see this is the only website you ever visit. Go to any newspaper site and the ads will make your eyes bleed. ...hmmm, maybe I should log out and look at it, I'm probably not seeing all the ads here.

    • by hairyfeet (841228)

      Noscript+ABP = happiness and joy for one and all! As for TFA, I have been saying for years that JavaScript will end up (I would say it already has) as bad for security as ActiveX was back in the day. Running code from God knows where is NEVER a good idea! Sandboxes and all that crap are simply putting band aids on bullet wounds. What we need is a new language that is locked down and compartmentalized from the start, not these hacks like sandboxing.

      Lets be hones folks: Neither ActiveX nor JavaScript were

      • by Ashriel (1457949)

        Actually, the sandboxing in javascript is very effective, which has led to all sorts of hacks and add ons to the initial language to escape the sandbox - usually for legitimate reasons

        Not saying that XSS isn't a real security issue, but that's not a flaw in javascript (XSS attacks are bound by the sandbox like any other bit of javascript), that's a case of not properly scrubbing user input, same as SQL injection.

        Perhaps a CPU/GPU "jail" combined with a locked down language?

        Actually, most of the big players are more concerned right now with how to relax restrictions on

        • by hairyfeet (841228)

          I would love to know why I got modded down when this whole article is about Google having to lock down JavaScript in their email clinet. I use ABP and Nscript, but what I use doesn't matter. As the PC repair guy that has to deal with cleaning your aunt Edna's PC when she gets pwned, what matters is what happens when SHE surfs. And unfortunately when she surfs she is running IE or some other browser and thanks to JavaScript, along with Reader and Flash, she most likely WILL get infected. I mean when you type

        • Actually, the sandboxing in javascript is very effective

          Really? Let's compare it with the sandbox that we all use most often: the process. This is a hardware-assisted sandbox that prevents a bit of running code from interacting with the system without going via a designated arbiter (i.e. the kernel). The JavaScript sandbox is a pure-software sandbox that prevents a bit of running code from interacting with the system without going via a designated arbiter (i.e. the browser).

          Now, compare the number of vulnerabilities that allow JavaScript to escape from th

      • I prefer simply NoScript + FlashBlock. I don't care about ads that are well behaved and aren't scripted. I do care about ads that use JavaScript or Flash and act like temperamental two year olds hopped up on sugar.

        Plus there's the whole issue of JavaScript/Flash constantly being used as an infection vector. So in the past few years it's become more about safety in blocking scripts then about blocking ads. I'm tired of cleaning off machines that were infected via ads or other JavaScript/Flash vectors.
        • by hairyfeet (841228)

          I give all my customers ABP with Firefox, and I've noticed infections going down a good 75%. I just really wish either someone would fork NoScript, or talk the developer into listening to his audience. NoScript is TOO COMPLEX for the average Joe, and frankly this problem could be fixed quite easily if the developer would listen: It needs an "easy mode" where beside the NoScript button is a simple "play video" button. Because every time I've tried to give NoScript to average folks, they spend too long clicki

    • by lpq (583377)

      Oi vey.

      Have you ever heard of Firefox? AdBlock? NoScript?

      Stop your whining and choose a solution.

      Don't say you don't have a choice.

      You do -- and right now, you are choosing your popups and ads and redirect problems.

      They aren't many, but when I see people complain about ad-block and popups on articles -- and then read about people talking about nobody using addblock or noscript I gotta wonder -- what's wrong with these people.

      Besides -- both firefox and IE block popups in the browser. What type of lame br

  • by Anonymous Coward

    JavaScript has long outlived its usefulness. If the trend is to write large-scale applications targeting the browser, we should at least do it with a real programming language, not a half-baked scripting language that was stuck into Netscape Navigator as a hack 15 years ago.

    Google, Opera, Apple and Mozilla need to get languages like Python, Ruby, Scheme and Erlang available in the browser. You know, real languages with the features necessary to write larger and more secure applications. We should stop jerki

    • The language originally proposed for Netscape Navigator, before "needs to become popular" and "remind people of Java" ruled it out.

      • Re:Scheme (Score:5, Interesting)

        by vbraga (228124) on Tuesday July 20, 2010 @11:46AM (#32966502) Journal

        JavaScript itself is not problem, even if "use strict" would come handy. The biggest problem is DOM and other associated APIs a JavaScript programmer must deal with. It's horrible. But along good practices (Crockford's Javascript The Good Parts come to mind) it is a very nice language to deal with.

        Take a look at Crockford's JavaScript: The World's Most Misunderstood Programming Language [crockford.com] for reference.

        • by 0123456 (636235)

          JavaScript itself is not problem, even if "use strict" would come handy.

          Allowing people to execute arbitrary code on your machine has always been a bad idea. When we have to build multiple sandboxes around it to prevent it from doing things that the end user doesn't want it to do then clearly it's broken by design.

          • It's not the language at fault, it's the design of the architecture. The same architecture design would have the same flaws even if Erlang or Python was used instead of Javascript.

            • by FlyingGuy (989135)

              Don't waste your breath, those language fanboy's cannot be bothered with actually understanding that it is the RT environment that is the problem, not the language.

          • So virtually any binary executable is a bad thing? Or am I misunderstanding what you're saying?

            • Potentially. Would you like it if your browser downloaded and ran arbitrary exes when you visited a website?

              • My point is that everytime you download a binary blob of anything, you are potentially allowing people to execute arbitrary code (I say potentially as more and more OSes have fine-grained control over what programs can actually do, so unlike in eg the DOS days, a binary isn't as free to do anything at all as it used to be). I mean even with a program like Firefox, I've looked at the source code maybe a handful of times...there could be anything in there. It could be phoning home and downloading botnet instr

          • Nonsense. There's nothing per-se wrong with Turing completeness, see things like Postscript and SVG. It's the APIs in and out of the interpreter, which admittedly is *very* easy to screw up (see things like PDF and Flash).
        • by bjartur (1705192)

          Honestly, I've just never understood why I'd want to run a whole program inside my web browser.

      • I don't recall anything Scheme related in Navigator.

        Livescript is now Javascript.

    • by Enleth (947766)

      Do you even know anything about this language beyond status bar text scripts and document.write? ECMAScript, the actual language we're speaking about (as opposed to the language/standard library combo JS actually is) is a sophisticated mix of functional (good for event-driven code) and procedural (good for general-purpose code) programming features augumented with prototype-based OOP (allows for a decent DOM implementation). The design is not as good as Python's (IMHO), but it's second to it in allowing pro

  • Like, wow... just wow.

    I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

    So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?

    • by name_already_taken (540581) on Tuesday July 20, 2010 @11:47AM (#32966520)
      Don't most email clients that display html format messages use one of the popular rendering engines, like Webkit? Presumably the html portion of the message is just passed to the rendering engine and the javascript magic happens.
      • Don't most email clients let you turn off HTML rendering in received messages?

        • Re: (Score:3, Informative)

          by amicusNYCL (1538833)

          In this case the email client is the web browser. I'm not sure if gmail allows you to disable HTML in the emails you receive.

        • Re: (Score:2, Funny)

          by JxcelDolghmQ (1827432)

          I'm quite certain that it would be counterproductive to turn off HTML rendering in the most popular email client for gmail: The web browser.

      • by Graff (532189)

        Don't most email clients that display html format messages use one of the popular rendering engines, like Webkit? Presumably the html portion of the message is just passed to the rendering engine and the javascript magic happens

        Which is exactly why I ONLY view my e-mail in plain text. If your message has anything other than plain text then it better be a MIME attachment that I can validate BEFORE I open it.

        HTML (et al.) are just bolted onto e-mail and it shows. If you want your e-mail to be slow loading, poorly-formatted, tons of obnoxious graphics, and full of unnecessary data then by all means turn on the HTML-in-e-mail features in your e-mail client. Just don't expect me to read it if that client doesn't send me a e-mail that g

      • Yes and no. When they pass the message off to the web rendering engine, they either set it to the 'really don't trust this' mode, requiring user intervention to load images and disabling scripts, or they strip these first. They used to just pass it straight off, but a string of email viruses in the late '90s put an end to this kind of stupidity.
    • Probably the same people who thought it would be a good idea to allow javascript to run in a browser.

      Heyoooooo

      • by mark-t (151149)
        Sure, but you have to explicitly go to a page to get the content of it... it isn't just sent to you without asking for it, like email is.
        • You have to open an email to access the javascript.

          And if I do not necessarily want Javascript to run on a page I explicitly go to? What are my options? Disable Javascript of course!

          Luckily for most people - Javascript is defaultly* disabled in most email clients, so the only reason this would be a threat is if its misconfigured.

          *I think I just made that word up. I love english, you can form new words and people will still understand your message.

          • *I think I just made that word up. I love english, you can form new words and people will still understand your message.

            Well, I guess that's more common than you think

            The word 'defaultly' [ancestry.com], I meant. :D

    • Re: (Score:3, Insightful)

      by Wiarumas (919682)
      I'd assume a vast majority of people don't even know what javascript is let alone why it is potentially dangerous. Sometimes you have to consider your users - which sometimes means you have to consider the ignorant, non-technical masses (ie: email users). Sure, you can feed them to the wolves, but it will come back and bite you somehow.
    • Nobody is allowing javascript in emails. This is a BUG in Gmail's code, not the user's fault. You use a browser to see your email. Spammers managed to somehow escape JS code and pass it through all of google's filters and execute it in your browser.
      • by Qzukk (229616)

        This is a BUG in Gmail's code, not the user's fault

        LOL no. I've been getting these spams for a week or so now. It looks like the usual undeliverable mail message, "see attachment for details", but instead of the attachment being an email message it's an HTML file. So the user clicks on Returned Mail.html and goes wherever the javascript takes them.

        • by weicco (645927) on Tuesday July 20, 2010 @12:27PM (#32967176)

          I just tested this. I send a message to my Hotmail box with HTML file as attachement. HTML file contains single script tag with document.location = 'http://google.com' inside. I opened the mail and opened the attachement. Internet Explorer asks if I want to save "test.html" or open it. This should ring bells big time but I understand that normal user doesn't get it and goes and opens the attachment. So I went and clicked Open and was redirected to google.com.

          Now if I save the file and try to open it from the local folder I get nice yellow warning bar telling me that the file contains An Evil Script and if I really, really want to open it I must explicitly allow the script to run. If I go and allow the script then I'm at google.com again.

          It seems that this is a simple, direct and rather effective attack against Joe Averages who just want to get rid of the stupid warning dialogs and open up everything that is sent to them. If Google can come up with a generic solution for this, other than try to rip off every HTML tag from the mails and their attachements, I really applaud them.

          Maybe the browser shouldn't be allowed to be redirected outside the current domain by default? But then again, there would have to be warning dialog for that and Joe Average would still be out of luck.

    • So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?

      Software engineers who are even dumber than the users.

    • by interkin3tic (1469267) on Tuesday July 20, 2010 @12:09PM (#32966862)

      I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

      As always, this sentiment annoys me.

      Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?

      • by blueskies (525815)

        Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune.

        Does that mean that no one deserves fortune either? Or if people deserve things because of actions they take, if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?

        • Does that mean that no one deserves fortune either?

          It does not mean that, no.

        • Does that mean that no one deserves fortune either? Or if people deserve things because of actions they take, if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?

          Fortune is due to many things, the actions you take are but one aspect. Therefore, it is a flawed assumption that fortune is something you deserve solely because of the actions you take.

          Also, there is a difference between rewarding someone for contributing to society (aka, earnin

        • if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?

          I suppose thats your implication. If someone deserves fortune because they work hard - that does not mean that someone who doesn't work hard doesn't also deserve fortune. Hate to be pedantic, but something being true does not mean the opposite is true. (Being good with my right hand does not mean being bad with my left, as there are people who are ambidextrous)

      • by wkcole (644783)

        I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

        As always, this sentiment annoys me.

        Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?

        One need not have any technical expertise to know what a free service from a profit-making enterprise ultimately will be worth. Anyone who expects a free service from a corporation which exists to make money to be anything other than shoddy is assured disappointment. That is something that any competent adult in a money-driven society should understand. No matter how many of the self-defined best and brightest are gathered together and no matter how slick they are at selling the idea that they are dedica

    • by Qzukk (229616)

      The javascript is in a file attached to the email. I've got dozens of them in my spam folder. Here's the entire content of one:
      Subject: Delivery Status Notification (Failure)
      From: Mail Delivery Subsystem [mailer-daemon@my domain]

      Note: Forwarded message is attached.

      This is an automatically generated Delivery Status Notification

      THIS IS A WARNING MESSAGE ONLY.

      Delivery to the following recipient has been delayed:

      myself@my domain

      Message will be retried for 2 more day(s)

      Attached is

    • by antdude (79039)

      What's the point of JavaScript in e-mails anyways? For HTML e-mails?

    • by dissy (172727)

      Like, wow... just wow.
      I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

      So wait, you are claiming that average Joe is supposed to automatically know better about technology than GOOGLE?!

      And yet you are calling someone Else stupid?! Wow, just wow

    • by wkcole (644783)

      So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?

      Netscape and Microsoft, in the mid-90's, when they were both known for hiring fresh grads based on GPA and driving away experienced developers who understood their own fallibility.

      Google is not particularly innovative in their design errors or how they got them.

  • by GNUALMAFUERTE (697061) <almafuerte@@@gmail...com> on Tuesday July 20, 2010 @11:49AM (#32966560)
    TFA should have read: "Google has found a vulnerability in its gmail code that could be used to execute arbitrary JS code in the user's browser".

    Instead, they played that down and used the "we are fighting JS attacks" phrase as if that was normal or common.

    Failing to properly escape JS/HTML/CSS in a webservice is a MAJOR vulnerability.
    • "Fortunately, our spam traps were receiving these messages early, providing our engineers with advanced warning, which allowed us to write manual filters and escalate to our anti-virus partners quickly"

      So - basically, it was being filtered to junk or spam, as most javascript enriched emails do.

      "we are fighting JS attacks" is normal and common when you deal with a web service. All email clients (from Yahoo, to Hotmail to Gmail and byond) disable javascript by default. Only if you are misconfigured would you be at risk. But Google basicly now can filter out those emails based on their underlying code - so that if you WANT to run Javascript in your email, you won't be hit by this attack.

    • by IamTheRealMike (537420) <mike@plan99.net> on Tuesday July 20, 2010 @12:15PM (#32966952) Homepage
      No, the JavaScript is in an attachment. It's not being rendered by any email product.
  • WTF? (Score:1, Insightful)

    by Anonymous Coward

    If your email client even knows how to execute Javascript (let alone makes decisions about whose scripts to trust and whose not to), then you're doing something wrong.

    What's next, are people going to start building javascript interpreters into grub, iwconfig, pvcreate and ionice?

  • Pedantic (Score:3, Informative)

    by amicusNYCL (1538833) on Tuesday July 20, 2010 @12:44PM (#32967488)

    If Google is responding to existing attacks, wouldn't they be going on the defensive?

  • by Anonymous Coward

    It's what I keep repeating time and again. Active content (Javascript, Flash, Java, ActiveX (ick!) is a very bad idea in a browser (an even worse idea in a mail reader). It's like having a gullible ward at the front door, willing to execute whatever instructions a complete stranger gives them.

    Fuck "rich web experience". Rich means here "rich in exploits", nothing else.

    And every "sandbox", "security container", whatnot -- just leads to a "Gödel, Escher, Bach"-style arms race [wikipedia.org].

    I have a dream. That people

  • Amazing (Score:3, Funny)

    by dr. chuck bunsen (762090) on Tuesday July 20, 2010 @12:56PM (#32967672)
    This is the exact reason that I NEVER use the internet. Just too dangerous these days...
  • by pongo000 (97357) on Tuesday July 20, 2010 @01:03PM (#32967776)

    ...an effective attack vector against mutt.

  • Postini is NOT GMail (Score:3, Informative)

    by RandomFactor (22447) on Tuesday July 20, 2010 @01:04PM (#32967786)

    Because of the confusion that seems rampant...

    Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.

    • Re: (Score:3, Informative)

      Because of the confusion that seems rampant...

      Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.

      Interestingly enough, Gmail doesn't use Postini unless you purchase Google Apps Premier and enable Postini for GApps Gmail. Gmail by itself uses its own independently developed anti-spam technology. This is straight from the horse's mouth @ Google Enterprise Support.

  • plain text (Score:4, Insightful)

    by SgtChaireBourne (457691) on Tuesday July 20, 2010 @01:08PM (#32967834) Homepage
    plain text : it was good enough for Shakespeare
  • Just been hit starting 30 minutes ago by a wave of delivery failure notifications but the preceding message (to which it is a reply) looks like one from me - spam to a bunch of people including some addresses I recognize. Gmail account now disabled. Seems a hell of a coincidence that this is happening just after this report about Gmail JavaScript problems. Never had anything like this before.

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984

Working...