Google Fixes Chrome 'Evil Cursor' Bug Abused by Tech Support Scam Sites (zdnet.com) 56
Google has patched a Chrome bug that was being abused in the wild by tech support scammers to create artificial mouse cursors and lock users inside browser pages by preventing them from closing and leaving browser tabs. From a report: The trick was first spotted in September 2018 by Malwarebytes analyst Jerome Segura. Called an "evil cursor," it relied on using a custom image to replace the operating system's standard mouse cursor graphic. A criminal group that Malwarebytes called Partnerstroka operated by switching the standard OS 32-by-32 pixels mouse cursor with one of 128 or 256 pixels in size. A normal cursor would still appear on screen, but in the corner of a bigger transparent bounding box. [...] The "evil cursor" fix is currently live for Google Canary users, and is scheduled to land in the Chrome 75 stable branch, to be released later this spring.
de facto standard (Score:4, Funny)
I'm so happy that Chrome is the new Internet Explorer. Looks at all of the great reasons to use Chrome.
Re: (Score:1)
Browsers support custom mouse cursor images for the sake of web games and to allow browsers to build immersive experiences
Bullshit. There is ZERO reason for a website to fuck with your cursor. Fuck you and your "web games" and "immersive experience" bullshit.
so disallowing over-sized cursors wasn't an ideal solution
No, preventing websites from fucking with your cursor is EXACTLY the right solution.
as it would have negatively impacted thousands of sites, if not more.
Oh, boo-fucking-ho. If you can't do things with a normal cursor you need to fuck off and die.
Re:de facto standard (Score:4, Insightful)
Win32 apps change your cursor. And it's functional, not just cute crap. A web-based photo editor needs dragging handles, I-beam cursor, brush size indication, etc. The problem isn't the existence of the feature.
Re: (Score:2)
[Expletive] you and your "web games" and "immersive experience" [nonsense].
In what way would a reasonable person consider a "SORRY! This game is not yet available for your platform." screen superior to a web game?
Re: (Score:2)
Good games run locally, at least in large part
Provided that 1. the game is ported to your platform (it often isn't, particularly for minority platforms like X11/Linux and macOS) and 2. you have permission from the device's owner or in some cases the device's manufacturer to install the game (a user often doesn't).
Re: (Score:2)
A huge LOL at everyone even thinking google did something to improve online games.
Their business depends on Ads. Some Ad agency called them and said "we need huge ass cursors for our new Ad masterpiece", and google rushed to comply.
You can have fun reading their public emails on the thousands of cases that they were required to provide emails as evidence, and i guarantee you will find one department's mass-email congratulating team so and so for the win of enabling big ass cursors on Chrome and unlocking ma
Re: (Score:3)
I'm so happy that Chrome is the new Internet Explorer. Looks at all of the great reasons to use Chrome.
Actually this exact same exploit should work fine in IE too, including really old versions back to IE6 if not further.
Re: (Score:3)
How do you know when you're at a resizable corner of an object? Your cursor changes. Designing web based software, you need these sorts of things as part of your visual language. The only thing that needs fixed is the security of it.
Re: (Score:1)
Designing web based software, you need these sorts of things as part of your visual language.
No. Just fucking NO
System-defined resize cursor (Score:2)
How do you know when you're at a resizable corner of an object? Your cursor changes
Ideally, one of the following would be the case:
A. The user hasn't yet whitelisted JavaScript on the domain and therefore the site neither knows nor cares where the user is "at".
B. The user has whitelisted JavaScript on the domain but not site-supplied cursor images. The site changes the cursor to a system-defined resize cursor, not an image supplied by the site.
C. The user has whitelisted cursor theming for this site. This would rarely happen except for games.
Re: (Score:2)
Cursor can also be set by CSS
Re: (Score:2)
If an HTML document on a given domain is using CSS to set a cursor, but the user hasn't opted in to showing site-supplied cursors on that domain, it would start in state B.
Re: (Score:1)
The problem here is fully custom pointers. It's highly unlikely any non-game "web-based software" would be significantly affected by being restricted to only the non-url forms of this [mozilla.org].
Your software can have access to system standard cursors without a security issue.
Re: (Score:2)
The problem here is people.
FTFY.
Re: (Score:2)
Paint brushes with variable size and hardness.
Chat, Web 1.0 style (Score:2)
It's time to start teaching them the opposite lesson. Turn it off. If a site is broken that way when all it had to do was show you some text and pictures, or link to a video or two, that site was not your friend.
Without script, how would an HTML document representing a chat channel pull in new messages? As far as I can tell, it'd need to rely on an iframe that sends <meta http-equiv="refresh" content="10;url=http://example.com/" /> which would cause an annoying flash every 10 seconds as the entire message pane reloads from scratch.
Or would you instead prefer that the website offer a companion native app? Some sites do, but rarely for all relevant platforms (Windows, macOS, X11/Linux AMD64, X11/Linux ARM, iOS
Re: (Score:2)
Yeah, we actually don't want applications to run in web browsers. That's what you need to wrap your head around.
Re: (Score:2)
Have a perfectly good chat system that runs locally and beats the shit out of whatever your "web chat" is doing. It works with every OS I've ever heard of.
How does a small team go about making "a perfectly good chat system that runs locally" on all desktop and mobile operating systems? And how do prospective users go about obtaining permission to install "a perfectly good chat system that runs locally" on the computers that they use?
Re: (Score:3)
Re:WTF? (Score:5, Informative)
Average users? Not so much. Not everyone grew up in the Win3.1 era where keyboard shortcuts were pretty much required to do anything meaningful in the OS.
Re: (Score:2)
Gets me out. Every time.
Misconceptions (Score:4, Insightful)
Re: (Score:1)
Ah, there's two different issues:
1. Allowing the application/css to chose from a selection of approved cursors (e.g., resize, zoom-in, i-beam, hand, arrow); and
2. Allowing the application/css to load any arbitary SVG/PNG file and use that as a cursor.
Restricting (web) application to the cursors that have been set in Windows Mouse settings (i.e., allowing option one) is fine by me. Option two is where the trouble lies.
"locked in a browser tab"? (Score:3)
"...and lock users inside browser pages by preventing them from closing and leaving browser tabs."
Ummm, is it soooo hard to use CTRL-F4 to close a tab on Windows or Linux?
Locked in a browser tab, oh noes! So scary.
Re: (Score:2)
Why the snark? Do you get off on making other people feel small?
If people don't understand what's going on it can be worrying or worse. I suspect from your ID (if not your handle) that I may have been programming in assembler and using multiple OSes since before you were born, and don't happen to know that hot-key sequence.
Re: (Score:2)
Maybe Windows is not all I (or these other people) use or do all day so why should we happen to remember obscure commands for the least nice and most flaky ones?
Can you tell me the equivalent for (say) C/PM, M/PM, the BBC Micro and a bunch of very common home computers, several mainframe OSes including some uni homebrews, several dozen flavours of UNIX with varying terminal settings since the 80s, Mac OS up to 9 and the current macOS, etc, etc? Plus embedded systems of various types from the 80s onwards?