Google Goes On Offensive vs. JavaScript Attacks 108
alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months.
Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript.
'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."
JS in email text? (Score:5, Insightful)
User should just have an option to execute or not JS in the email text. Problem solved.
Re:JS in email text? (Score:5, Insightful)
Re:JS in email text? (Score:5, Funny)
Your friend isn't going to send you javascript
You clearly don't hang out with my group of friends.
Re: (Score:2, Informative)
I hate to say it, but Cheap Canadian Online Pharmaceuticals is not your friend.
Re: (Score:2)
Your manual analysis of the text of the email, the sender, using common sense. Whenever I get html-rich emails from my bank or other organizations, I am always able to parse the meaning of what I have to do in response just by looking at the plain text.
Re: (Score:1)
Re: (Score:2)
Computers prompting user action in order to compute is never going to be the solution.
That's funny, ClickToFlash works well for me. If the desired default action is to not waste time/resources computing, it makes a lot of sense to require user input to enable something. Same goes for attachments in my mobile mail client - I click on them when I want to see them, otherwise, they're left un-downloaded.
In the case of javascript in emails, you'd have to think of a very good reason to make it worthwhile for me to turn it on - the attack surface opened up is just too great to justify having it on
Insightful? Really? (Score:1)
Google doesn't want to execute JS in emails, and never did. Nobody should (nor does) allow JS in email afaik. The problem is the JS is executing *anyway*, despite Google's filters. They found a crack in the filtering and are exploiting it; not because *gmail* executes javascript but because *your browser* does.
Such an option would make email more vulnerable, not less, since some people would set it to "execute", when everyone should be "don't execute".
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
MailScanner [mailscanner.info] has had the option of "disarming" scripts in email for years now.
Allowing scripts in email messages is as bad as allowing them in advertisements [slashdot.org] on web sites.
Don't want to post OT but... (Score:2, Funny)
Re: (Score:2)
What are these "ads" things that you refer to? Never seen any.
I think ads are these things (images? blocks of text?) that Internet Explorer puts into webpages to annoy and distract their users. I could be wrong, though - I've never seen them either, since I don't use Microsoft products.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Don't worry, you were completely on topic, even if you didn't know it. The topic is disabling javascript to prevent bad things on the Internet.
Re: (Score:2)
This story is aimed at people who already use NoScript, so thats why they don't feel bad about layering them in there.
Re: (Score:2)
I think you might have some more issues with your computer then. I have never seen any intrusive ads on Slashdot, definitely no popup ads. Actually, at this point I don't have any ads.
Re: (Score:2)
You could try any of the following:
1) Check the "disable advertising" box on the main page
2) Adblock (I heard the Chrome one got a lot better very recently)
3) Privoxy
4) Lynx, wget, etc.
5) Go outside for a change
Re:Don't want to post OT but... (Score:4, Insightful)
Going outside doesn't really help : plenty of ads there , and adblock doesn't work on them .
Re: (Score:1)
Going outside doesn't really help : plenty of ads there , and adblock doesn't work on them .
Not necessarily true (somewhat). [boingboing.net]
Re: (Score:2)
I see this is the only website you ever visit. Go to any newspaper site and the ads will make your eyes bleed. ...hmmm, maybe I should log out and look at it, I'm probably not seeing all the ads here.
Re: (Score:1)
Re: (Score:2)
Actually, the sandboxing in javascript is very effective, which has led to all sorts of hacks and add ons to the initial language to escape the sandbox - usually for legitimate reasons
Not saying that XSS isn't a real security issue, but that's not a flaw in javascript (XSS attacks are bound by the sandbox like any other bit of javascript), that's a case of not properly scrubbing user input, same as SQL injection.
Perhaps a CPU/GPU "jail" combined with a locked down language?
Actually, most of the big players are more concerned right now with how to relax restrictions on
Re: (Score:2)
Re: (Score:2)
Actually, the sandboxing in javascript is very effective
Really? Let's compare it with the sandbox that we all use most often: the process. This is a hardware-assisted sandbox that prevents a bit of running code from interacting with the system without going via a designated arbiter (i.e. the kernel). The JavaScript sandbox is a pure-software sandbox that prevents a bit of running code from interacting with the system without going via a designated arbiter (i.e. the browser).
Now, compare the number of vulnerabilities that allow JavaScript to escape from th
Re: (Score:2)
Plus there's the whole issue of JavaScript/Flash constantly being used as an infection vector. So in the past few years it's become more about safety in blocking scripts then about blocking ads. I'm tired of cleaning off machines that were infected via ads or other JavaScript/Flash vectors.
Re: (Score:2)
Re: (Score:2)
Oi vey.
Have you ever heard of Firefox? AdBlock? NoScript?
Stop your whining and choose a solution.
Don't say you don't have a choice.
You do -- and right now, you are choosing your popups and ads and redirect problems.
They aren't many, but when I see people complain about ad-block and popups on articles -- and then read about people talking about nobody using addblock or noscript I gotta wonder -- what's wrong with these people.
Besides -- both firefox and IE block popups in the browser. What type of lame br
JavaScript needs to go. (Score:1, Insightful)
JavaScript has long outlived its usefulness. If the trend is to write large-scale applications targeting the browser, we should at least do it with a real programming language, not a half-baked scripting language that was stuck into Netscape Navigator as a hack 15 years ago.
Google, Opera, Apple and Mozilla need to get languages like Python, Ruby, Scheme and Erlang available in the browser. You know, real languages with the features necessary to write larger and more secure applications. We should stop jerki
Scheme (Score:1)
The language originally proposed for Netscape Navigator, before "needs to become popular" and "remind people of Java" ruled it out.
Comment removed (Score:5, Interesting)
Re: (Score:2)
JavaScript itself is not problem, even if "use strict" would come handy.
Allowing people to execute arbitrary code on your machine has always been a bad idea. When we have to build multiple sandboxes around it to prevent it from doing things that the end user doesn't want it to do then clearly it's broken by design.
Re: (Score:2)
It's not the language at fault, it's the design of the architecture. The same architecture design would have the same flaws even if Erlang or Python was used instead of Javascript.
Re: (Score:2)
Don't waste your breath, those language fanboy's cannot be bothered with actually understanding that it is the RT environment that is the problem, not the language.
Re: (Score:2)
So virtually any binary executable is a bad thing? Or am I misunderstanding what you're saying?
Re: (Score:2)
Potentially. Would you like it if your browser downloaded and ran arbitrary exes when you visited a website?
Re: (Score:2)
My point is that everytime you download a binary blob of anything, you are potentially allowing people to execute arbitrary code (I say potentially as more and more OSes have fine-grained control over what programs can actually do, so unlike in eg the DOS days, a binary isn't as free to do anything at all as it used to be). I mean even with a program like Firefox, I've looked at the source code maybe a handful of times...there could be anything in there. It could be phoning home and downloading botnet instr
Re: (Score:2)
Re: (Score:1)
Honestly, I've just never understood why I'd want to run a whole program inside my web browser.
Re: (Score:1)
Affirmative, nor do I like emacs style interfaces.
Re: (Score:2)
Livescript (Score:2)
I don't recall anything Scheme related in Navigator.
Livescript is now Javascript.
Re: (Score:2)
Do you even know anything about this language beyond status bar text scripts and document.write? ECMAScript, the actual language we're speaking about (as opposed to the language/standard library combo JS actually is) is a sophisticated mix of functional (good for event-driven code) and procedural (good for general-purpose code) programming features augumented with prototype-based OOP (allows for a decent DOM implementation). The design is not as good as Python's (IMHO), but it's second to it in allowing pro
Who the F*** has javascript turned on their mail? (Score:4, Insightful)
Like, wow... just wow.
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?
Anyone using most email clients? (Score:4, Interesting)
Re: (Score:2)
Don't most email clients let you turn off HTML rendering in received messages?
Re: (Score:3, Informative)
In this case the email client is the web browser. I'm not sure if gmail allows you to disable HTML in the emails you receive.
Re: (Score:2, Funny)
I'm quite certain that it would be counterproductive to turn off HTML rendering in the most popular email client for gmail: The web browser.
Re: (Score:2)
Don't most email clients that display html format messages use one of the popular rendering engines, like Webkit? Presumably the html portion of the message is just passed to the rendering engine and the javascript magic happens
Which is exactly why I ONLY view my e-mail in plain text. If your message has anything other than plain text then it better be a MIME attachment that I can validate BEFORE I open it.
HTML (et al.) are just bolted onto e-mail and it shows. If you want your e-mail to be slow loading, poorly-formatted, tons of obnoxious graphics, and full of unnecessary data then by all means turn on the HTML-in-e-mail features in your e-mail client. Just don't expect me to read it if that client doesn't send me a e-mail that g
Re: (Score:2)
Re: (Score:2)
Probably the same people who thought it would be a good idea to allow javascript to run in a browser.
Heyoooooo
Re: (Score:2)
Re: (Score:2)
You have to open an email to access the javascript.
And if I do not necessarily want Javascript to run on a page I explicitly go to? What are my options? Disable Javascript of course!
Luckily for most people - Javascript is defaultly* disabled in most email clients, so the only reason this would be a threat is if its misconfigured.
*I think I just made that word up. I love english, you can form new words and people will still understand your message.
Re: (Score:1)
*I think I just made that word up. I love english, you can form new words and people will still understand your message.
Well, I guess that's more common than you think
The word 'defaultly' [ancestry.com], I meant. :D
Re: (Score:3, Insightful)
Re:Who the F*** has javascript turned on their mai (Score:5, Informative)
Re: (Score:3)
This is a BUG in Gmail's code, not the user's fault
LOL no. I've been getting these spams for a week or so now. It looks like the usual undeliverable mail message, "see attachment for details", but instead of the attachment being an email message it's an HTML file. So the user clicks on Returned Mail.html and goes wherever the javascript takes them.
Re:Who the F*** has javascript turned on their mai (Score:5, Informative)
I just tested this. I send a message to my Hotmail box with HTML file as attachement. HTML file contains single script tag with document.location = 'http://google.com' inside. I opened the mail and opened the attachement. Internet Explorer asks if I want to save "test.html" or open it. This should ring bells big time but I understand that normal user doesn't get it and goes and opens the attachment. So I went and clicked Open and was redirected to google.com.
Now if I save the file and try to open it from the local folder I get nice yellow warning bar telling me that the file contains An Evil Script and if I really, really want to open it I must explicitly allow the script to run. If I go and allow the script then I'm at google.com again.
It seems that this is a simple, direct and rather effective attack against Joe Averages who just want to get rid of the stupid warning dialogs and open up everything that is sent to them. If Google can come up with a generic solution for this, other than try to rip off every HTML tag from the mails and their attachements, I really applaud them.
Maybe the browser shouldn't be allowed to be redirected outside the current domain by default? But then again, there would have to be warning dialog for that and Joe Average would still be out of luck.
Re: (Score:2)
And then you will have to determine how to comment it in some obfuscated sequence of comments, quotes and escapes that may or may not be formally valid and may or may not produce consistent results in multiple rendering engines.
Re: (Score:2)
You're right. It would be horrible piece of script/code to write so that it a) removes all the Evil tags 100% and b) doesn't mess up any legit tag. I can think only one way to achieve this: the server itself would have to run the attachment(s) in a sandbox with multiple browsers and check if there's anything suspicious going on. I think it would kill the server.
Re: (Score:2)
That would require a huge amount of resources, far beyond anything used existing mail services, webmail or otherwise. A much more sane approach would be to process everything with a very simple HTML parser that only recognizes "legitimate" tags and stylesheets, extract and sanitize all text, then re-assemble the document using completely different tags and stylesheet, throwing away everything that is not text and marking all links in the same way Slashdot does it in comments. The "original" document can be
Re: (Score:2)
yes but it's not JS in the actual message that is causing problems, it's the HTML attachements (with JS). The message can look all find but when you open the HTML attachement all the nasty scripts are run.
Re: (Score:2)
In email there is no fundamental difference between "message" and "attachments" -- email may be single-part or multi-part, and parts may be of various types identified by MIME headers. Mail readers display text and HTML parts of the message (or only first such part) as the "message" and everything else as "attachments", however it's up to the mail client (or webmail server) to choose how and what to show to the user.
Re: (Score:2)
> That's because IE's javascript engine treats javascript executed from the computer with extra privileges over javascript executed from the "Internet Zone".
Used to be you could modify that, not sure how it is like after Vista and Windows 7.
See this: How To Add 'My Computer' As the Fifth Internet Explorer Security Zone
http://support.microsoft.com/kb/555599 [microsoft.com]
http://support.microsoft.com/kb/315933 [microsoft.com]
If you make the security settings strict it breaks some Windows Explorer stuff in XP's "webview" mode. But it wor
Re: (Score:2)
Yes, I know that. I was talking from the point of Joe Average who doesn't know a s**t. And my point was, you can add extra layers, warning dialogs and yellow warning bars as many you like for these kinds of attacks but still you have to give user to option just to run those scripts. Someone eventually runs them and the attacker has won.
Re: (Score:1)
So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?
Software engineers who are even dumber than the users.
Re:Who the F*** has javascript turned on their mai (Score:5, Insightful)
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
As always, this sentiment annoys me.
Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?
Re: (Score:2)
Does that mean that no one deserves fortune either? Or if people deserve things because of actions they take, if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?
Re: (Score:2)
Does that mean that no one deserves fortune either?
It does not mean that, no.
Re: (Score:2)
Fortune is due to many things, the actions you take are but one aspect. Therefore, it is a flawed assumption that fortune is something you deserve solely because of the actions you take.
Also, there is a difference between rewarding someone for contributing to society (aka, earnin
Re: (Score:2)
if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?
I suppose thats your implication. If someone deserves fortune because they work hard - that does not mean that someone who doesn't work hard doesn't also deserve fortune. Hate to be pedantic, but something being true does not mean the opposite is true. (Being good with my right hand does not mean being bad with my left, as there are people who are ambidextrous)
Re: (Score:2)
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
As always, this sentiment annoys me.
Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?
One need not have any technical expertise to know what a free service from a profit-making enterprise ultimately will be worth. Anyone who expects a free service from a corporation which exists to make money to be anything other than shoddy is assured disappointment. That is something that any competent adult in a money-driven society should understand. No matter how many of the self-defined best and brightest are gathered together and no matter how slick they are at selling the idea that they are dedica
Re: (Score:2)
The javascript is in a file attached to the email. I've got dozens of them in my spam folder. Here's the entire content of one:
Subject: Delivery Status Notification (Failure)
From: Mail Delivery Subsystem [mailer-daemon@my domain]
Note: Forwarded message is attached.
This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
Delivery to the following recipient has been delayed:
myself@my domain
Message will be retried for 2 more day(s)
Attached is
Re: (Score:2)
What's the point of JavaScript in e-mails anyways? For HTML e-mails?
Re: (Score:2)
Like, wow... just wow.
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
So wait, you are claiming that average Joe is supposed to automatically know better about technology than GOOGLE?!
And yet you are calling someone Else stupid?! Wow, just wow
Re: (Score:2)
So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?
Netscape and Microsoft, in the mid-90's, when they were both known for hiring fresh grads based on GPA and driving away experienced developers who understood their own fallibility.
Google is not particularly innovative in their design errors or how they got them.
Nice way to hide a vulnerability ... (Score:3, Informative)
Instead, they played that down and used the "we are fighting JS attacks" phrase as if that was normal or common.
Failing to properly escape JS/HTML/CSS in a webservice is a MAJOR vulnerability.
Re: (Score:2)
"Fortunately, our spam traps were receiving these messages early, providing our engineers with advanced warning, which allowed us to write manual filters and escalate to our anti-virus partners quickly"
So - basically, it was being filtered to junk or spam, as most javascript enriched emails do.
"we are fighting JS attacks" is normal and common when you deal with a web service. All email clients (from Yahoo, to Hotmail to Gmail and byond) disable javascript by default. Only if you are misconfigured would you be at risk. But Google basicly now can filter out those emails based on their underlying code - so that if you WANT to run Javascript in your email, you won't be hit by this attack.
Re:Nice way to hide a vulnerability ... (Score:4, Informative)
WTF? (Score:1, Insightful)
If your email client even knows how to execute Javascript (let alone makes decisions about whose scripts to trust and whose not to), then you're doing something wrong.
What's next, are people going to start building javascript interpreters into grub, iwconfig, pvcreate and ionice?
Re: (Score:2)
Pedantic (Score:3, Informative)
If Google is responding to existing attacks, wouldn't they be going on the defensive?
Disable active content already! (Score:1, Insightful)
It's what I keep repeating time and again. Active content (Javascript, Flash, Java, ActiveX (ick!) is a very bad idea in a browser (an even worse idea in a mail reader). It's like having a gullible ward at the front door, willing to execute whatever instructions a complete stranger gives them.
Fuck "rich web experience". Rich means here "rich in exploits", nothing else.
And every "sandbox", "security container", whatnot -- just leads to a "Gödel, Escher, Bach"-style arms race [wikipedia.org].
I have a dream. That people
Amazing (Score:3, Funny)
Re:Amazing (Score:4, Funny)
You're telling me! I damned near broke my wrist last week!
I'm still waiting for... (Score:3, Insightful)
...an effective attack vector against mutt.
Postini is NOT GMail (Score:3, Informative)
Because of the confusion that seems rampant...
Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.
Re: (Score:3, Informative)
Because of the confusion that seems rampant...
Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.
Interestingly enough, Gmail doesn't use Postini unless you purchase Google Apps Premier and enable Postini for GApps Gmail. Gmail by itself uses its own independently developed anti-spam technology. This is straight from the horse's mouth @ Google Enterprise Support.
plain text (Score:4, Insightful)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
And half the guys involved in running the scripts are pretending to be women.
Re: (Score:2)
Re: (Score:2)
Tell me about it, it doesn't even pass tokenizaton!
Just been hit (Score:1)