Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Goes On Offensive vs. JavaScript Attacks

CmdrTaco posted more than 4 years ago | from the isn't-most-javascript-offensive dept.

Google 108

alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months. Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript. 'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."

cancel ×

108 comments

Sorry! There are no comments related to the filter you selected.

JS in email text? (4, Insightful)

mapkinase (958129) | more than 4 years ago | (#32966190)

User should just have an option to execute or not JS in the email text. Problem solved.

Re:JS in email text? (4, Insightful)

yincrash (854885) | more than 4 years ago | (#32966288)

What legitimate reason is there to accept JS? Your friend isn't going to send you javascript, and a mailing list that uses HTML still has to cater to as many clients as possible which means they still use tables for layout.

Re:JS in email text? (4, Funny)

Monkeedude1212 (1560403) | more than 4 years ago | (#32966390)

Your friend isn't going to send you javascript

You clearly don't hang out with my group of friends.

Re:JS in email text? (2, Informative)

VGPowerlord (621254) | more than 4 years ago | (#32967016)

I hate to say it, but Cheap Canadian Online Pharmaceuticals is not your friend.

Re:JS in email text? (0)

Anonymous Coward | more than 4 years ago | (#32972544)

Take that back!

Re:JS in email text? (1)

mapkinase (958129) | more than 4 years ago | (#32967056)

Your manual analysis of the text of the email, the sender, using common sense. Whenever I get html-rich emails from my bank or other organizations, I am always able to parse the meaning of what I have to do in response just by looking at the plain text.

Re:JS in email text? (1)

Foolhardly (1773982) | more than 4 years ago | (#32966888)

Computers prompting user action in order to compute is never going to be the solution.

Re:JS in email text? (1)

Serious Callers Only (1022605) | more than 4 years ago | (#32967858)

Computers prompting user action in order to compute is never going to be the solution.

That's funny, ClickToFlash works well for me. If the desired default action is to not waste time/resources computing, it makes a lot of sense to require user input to enable something. Same goes for attachments in my mobile mail client - I click on them when I want to see them, otherwise, they're left un-downloaded.

In the case of javascript in emails, you'd have to think of a very good reason to make it worthwhile for me to turn it on - the attack surface opened up is just too great to justify having it on by default.

Insightful? Really? (1)

xant (99438) | more than 4 years ago | (#32969856)

Google doesn't want to execute JS in emails, and never did. Nobody should (nor does) allow JS in email afaik. The problem is the JS is executing *anyway*, despite Google's filters. They found a crack in the filtering and are exploiting it; not because *gmail* executes javascript but because *your browser* does.

Such an option would make email more vulnerable, not less, since some people would set it to "execute", when everyone should be "don't execute".

Re:Insightful? Really? (1)

martin-boundary (547041) | more than 4 years ago | (#32971790)

Exactly. The real problem is turning a browser into an email reading program. That's the downside of going from native apps for everything to the-browser-is-the-OS type thinking. It's only going to get worse.

Re:JS in email text? (1)

yuhong (1378501) | more than 4 years ago | (#32972200)

For example, OE can set HTML to execute in Restricted Zone, and I think it has been the default since 2002. And it not only disables JS, but also other nasty stuff too like I think ActiveX controls.

Re:JS in email text? (1)

yuna49 (905461) | more than 3 years ago | (#32976572)

MailScanner [mailscanner.info] has had the option of "disarming" scripts in email for years now.

Allowing scripts in email messages is as bad as allowing them in advertisements [slashdot.org] on web sites.

Don't want to post OT but... (2, Funny)

bannable (1605677) | more than 4 years ago | (#32966276)

...could this site have *any* more ads? Good lord, 15 seconds and there have already been THREE inline popup ads and a redirect ad, in addition to all the crap surrounding the article.

Re:Don't want to post OT but... (0)

Anonymous Coward | more than 4 years ago | (#32966338)

...could this site have *any* more ads? Good lord, 15 seconds and there have already been THREE inline popup ads and a redirect ad, in addition to all the crap surrounding the article.

What are these "ads" things that you refer to? Never seen any.

Re:Don't want to post OT but... (0)

Anonymous Coward | more than 4 years ago | (#32966896)

He must be new...

Re:Don't want to post OT but... (1)

Ashriel (1457949) | more than 4 years ago | (#32969620)

What are these "ads" things that you refer to? Never seen any.

I think ads are these things (images? blocks of text?) that Internet Explorer puts into webpages to annoy and distract their users. I could be wrong, though - I've never seen them either, since I don't use Microsoft products.

Re:Don't want to post OT but... (2, Funny)

BJ_Covert_Action (1499847) | more than 4 years ago | (#32966364)

Well, it is a story about Google. =P

Re:Don't want to post OT but... (3, Funny)

Anonymous Coward | more than 4 years ago | (#32966370)

Don't worry, you were completely on topic, even if you didn't know it. The topic is disabling javascript to prevent bad things on the Internet.

Re:Don't want to post OT but... (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32966426)

This story is aimed at people who already use NoScript, so thats why they don't feel bad about layering them in there.

NoScript user (0)

Anonymous Coward | more than 4 years ago | (#32967944)

Yeah, I didn't notice anything odd, though it seems NoScript was blocking content from a lot of sources.

Re:Don't want to post OT but... (1)

guruevi (827432) | more than 4 years ago | (#32967438)

I think you might have some more issues with your computer then. I have never seen any intrusive ads on Slashdot, definitely no popup ads. Actually, at this point I don't have any ads.

Re:Don't want to post OT but... (1)

selven (1556643) | more than 4 years ago | (#32967748)

You could try any of the following:

1) Check the "disable advertising" box on the main page
2) Adblock (I heard the Chrome one got a lot better very recently)
3) Privoxy
4) Lynx, wget, etc.
5) Go outside for a change

Re:Don't want to post OT but... (3, Insightful)

kdemetter (965669) | more than 4 years ago | (#32967864)

Going outside doesn't really help : plenty of ads there , and adblock doesn't work on them .

Re:Don't want to post OT but... (1)

avhell (924329) | more than 4 years ago | (#32969384)

Going outside doesn't really help : plenty of ads there , and adblock doesn't work on them .

Not necessarily true (somewhat). [boingboing.net]

Re:Don't want to post OT but... (1)

mcgrew (92797) | more than 4 years ago | (#32968198)

I see this is the only website you ever visit. Go to any newspaper site and the ads will make your eyes bleed. ...hmmm, maybe I should log out and look at it, I'm probably not seeing all the ads here.

Re:Don't want to post OT but... (0)

hairyfeet (841228) | more than 4 years ago | (#32968750)

Noscript+ABP = happiness and joy for one and all! As for TFA, I have been saying for years that JavaScript will end up (I would say it already has) as bad for security as ActiveX was back in the day. Running code from God knows where is NEVER a good idea! Sandboxes and all that crap are simply putting band aids on bullet wounds. What we need is a new language that is locked down and compartmentalized from the start, not these hacks like sandboxing.

Lets be hones folks: Neither ActiveX nor JavaScript were ever designed for all the jobs they end up doing, and bad hacks plus tons of malware writers equals badness times a thousand! It is time for the big guys: Apple, Google, MSFT, AMD, Intel, to get together and come up with something new. Perhaps a CPU/GPU "jail" combined with a locked down language?

Re:Don't want to post OT but... (1)

Ashriel (1457949) | more than 4 years ago | (#32969930)

Actually, the sandboxing in javascript is very effective, which has led to all sorts of hacks and add ons to the initial language to escape the sandbox - usually for legitimate reasons

Not saying that XSS isn't a real security issue, but that's not a flaw in javascript (XSS attacks are bound by the sandbox like any other bit of javascript), that's a case of not properly scrubbing user input, same as SQL injection.

Perhaps a CPU/GPU "jail" combined with a locked down language?

Actually, most of the big players are more concerned right now with how to relax restrictions on cross-domain scripting while maintaining some semblance of security. It's needed for more interactive web-apps, you see.

If you want more secure scripting, get a browser that doesn't support json or ajax. Better yet, just use NoScript like the rest of us, and laugh at all the IE fools.

Re:Don't want to post OT but... (1)

hairyfeet (841228) | more than 3 years ago | (#32973850)

I would love to know why I got modded down when this whole article is about Google having to lock down JavaScript in their email clinet. I use ABP and Nscript, but what I use doesn't matter. As the PC repair guy that has to deal with cleaning your aunt Edna's PC when she gets pwned, what matters is what happens when SHE surfs. And unfortunately when she surfs she is running IE or some other browser and thanks to JavaScript, along with Reader and Flash, she most likely WILL get infected. I mean when you type JavaScript malware and get over 12 MILLION [yahoo.com] hits in Yahoo? That tells me maybe another approach needs to be taken.

You yourself pointed out that the sandbox jails frequently have to be broken out of to do interesting JavaScript interactive websites, and that is my point. We should be able to develop a language that allows you to do those interactive websites easily without risking exploitation or risk to data on the underlying machine. JavaScript I believe just as ActiveX will be discarded in time, simply because the risks will continue to grow while the hacks like sandboxes will hamper legitimate website builders more and more. What we need is a new language built from the ground up to allow those cool websites without allowing exploitation. Perhaps using the stream processors built into every PC nowadays to render without allowing access to the underlying PC?

All I know is just by blocking JavaScript ads via ABP I cut down my customers infection rate by a good 75%-85%. Now as you know those ads are required by many websites to stay afloat, but I can't in good conscience allow them. If more and more do as I do something has to give, and I believe what will eventually give will be JavaScript, for something built with security in mind.

Re:Don't want to post OT but... (1)

TheRaven64 (641858) | more than 3 years ago | (#32975552)

Actually, the sandboxing in javascript is very effective

Really? Let's compare it with the sandbox that we all use most often: the process. This is a hardware-assisted sandbox that prevents a bit of running code from interacting with the system without going via a designated arbiter (i.e. the kernel). The JavaScript sandbox is a pure-software sandbox that prevents a bit of running code from interacting with the system without going via a designated arbiter (i.e. the browser).

Now, compare the number of vulnerabilities that allow JavaScript to escape from the browser's sandbox to the number of vulnerabilities that allow processes to escape from your-kernel-of-choice's sandbox. What do you notice? That the browser actually does a piss-poor job compared to the kernel. Not only that, but the browser actually has an easier job of it, because it only has to support one source language (which doesn't permit things like pointer arithmetic) and can do source-language analysis before allowing the code to run.

Re:Don't want to post OT but... (1)

WuphonsReach (684551) | more than 3 years ago | (#32976546)

I prefer simply NoScript + FlashBlock. I don't care about ads that are well behaved and aren't scripted. I do care about ads that use JavaScript or Flash and act like temperamental two year olds hopped up on sugar.

Plus there's the whole issue of JavaScript/Flash constantly being used as an infection vector. So in the past few years it's become more about safety in blocking scripts then about blocking ads. I'm tired of cleaning off machines that were infected via ads or other JavaScript/Flash vectors.

Re:Don't want to post OT but... (1)

lpq (583377) | more than 3 years ago | (#32973918)

Oi vey.

Have you ever heard of Firefox? AdBlock? NoScript?

Stop your whining and choose a solution.

Don't say you don't have a choice.

You do -- and right now, you are choosing your popups and ads and redirect problems.

They aren't many, but when I see people complain about ad-block and popups on articles -- and then read about people talking about nobody using addblock or noscript I gotta wonder -- what's wrong with these people.

Besides -- both firefox and IE block popups in the browser. What type of lame browser are you using
that doesn't block popups?

JavaScript needs to go. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32966302)

JavaScript has long outlived its usefulness. If the trend is to write large-scale applications targeting the browser, we should at least do it with a real programming language, not a half-baked scripting language that was stuck into Netscape Navigator as a hack 15 years ago.

Google, Opera, Apple and Mozilla need to get languages like Python, Ruby, Scheme and Erlang available in the browser. You know, real languages with the features necessary to write larger and more secure applications. We should stop jerking around with JavaScript, a rather pathetic scripting language that has been pushed far past what it was ever intended to handle.

Scheme (1)

bjartur (1705192) | more than 4 years ago | (#32966374)

The language originally proposed for Netscape Navigator, before "needs to become popular" and "remind people of Java" ruled it out.

Re:Scheme (5, Interesting)

vbraga (228124) | more than 4 years ago | (#32966502)

JavaScript itself is not problem, even if "use strict" would come handy. The biggest problem is DOM and other associated APIs a JavaScript programmer must deal with. It's horrible. But along good practices (Crockford's Javascript The Good Parts come to mind) it is a very nice language to deal with.

Take a look at Crockford's JavaScript: The World's Most Misunderstood Programming Language [crockford.com] for reference.

Re:Scheme (1)

0123456 (636235) | more than 4 years ago | (#32966880)

JavaScript itself is not problem, even if "use strict" would come handy.

Allowing people to execute arbitrary code on your machine has always been a bad idea. When we have to build multiple sandboxes around it to prevent it from doing things that the end user doesn't want it to do then clearly it's broken by design.

Re:Scheme (1)

amicusNYCL (1538833) | more than 4 years ago | (#32967186)

It's not the language at fault, it's the design of the architecture. The same architecture design would have the same flaws even if Erlang or Python was used instead of Javascript.

Re:Scheme (1)

FlyingGuy (989135) | more than 4 years ago | (#32967696)

Don't waste your breath, those language fanboy's cannot be bothered with actually understanding that it is the RT environment that is the problem, not the language.

Re:Scheme (1)

Moridineas (213502) | more than 4 years ago | (#32967732)

So virtually any binary executable is a bad thing? Or am I misunderstanding what you're saying?

Re:Scheme (1)

imakemusic (1164993) | more than 3 years ago | (#32975786)

Potentially. Would you like it if your browser downloaded and ran arbitrary exes when you visited a website?

Re:Scheme (1)

Late Adopter (1492849) | more than 4 years ago | (#32967736)

Nonsense. There's nothing per-se wrong with Turing completeness, see things like Postscript and SVG. It's the APIs in and out of the interpreter, which admittedly is *very* easy to screw up (see things like PDF and Flash).

Re:Scheme (1)

bjartur (1705192) | more than 4 years ago | (#32968076)

Honestly, I've just never understood why I'd want to run a whole program inside my web browser.

Re:Scheme (0)

Anonymous Coward | more than 4 years ago | (#32972716)

Take it your not an emacs fanboy either, then?

Re:Scheme (0)

Anonymous Coward | more than 4 years ago | (#32970862)

javascript isn't lisp. it has lot's of lisplike stuff, but doesn't have macros.

Re:Scheme (1)

TheRaven64 (641858) | more than 3 years ago | (#32975558)

JavaScript functions are first-class closures. They are exactly as expressive as Lisp macros.

Livescript (1)

SpaceLifeForm (228190) | more than 4 years ago | (#32971608)

I don't recall anything Scheme related in Navigator.

Livescript is now Javascript.

Re:JavaScript needs to go. (1)

Enleth (947766) | more than 4 years ago | (#32972050)

Do you even know anything about this language beyond status bar text scripts and document.write? ECMAScript, the actual language we're speaking about (as opposed to the language/standard library combo JS actually is) is a sophisticated mix of functional (good for event-driven code) and procedural (good for general-purpose code) programming features augumented with prototype-based OOP (allows for a decent DOM implementation). The design is not as good as Python's (IMHO), but it's second to it in allowing programmers to write clever, concise code that does its job well. And the "standard library" that makes JS what it is, is actually DOM.

Unfortunately, the world is full of people who don't even know what functional or procedural programming means and write utter crap in JS, usually thinking that it looks similar to C, so it can be used like C (and it cannot be, because functional features will trigger "unexpected" behaviour), or not thinking at all. This doesn't mean that the language is bad. You could as well say that HTML and CSS are bad because millions of morons are abusing it constantly. But it's not HTML, CSS or JS that are bad. It's the countless "tutorials" written by morons for morons that perpetuate bad practices and monkey-like code copying without a tiniest thought about what the code actually does and how. I'm afraid, however, current technology doesn't let us make compuetrs that stab people in the face for writing crap tutorials.

Who the F*** has javascript turned on their mail? (3, Insightful)

mark-t (151149) | more than 4 years ago | (#32966402)

Like, wow... just wow.

I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?

Anyone using most email clients? (3, Interesting)

name_already_taken (540581) | more than 4 years ago | (#32966520)

Don't most email clients that display html format messages use one of the popular rendering engines, like Webkit? Presumably the html portion of the message is just passed to the rendering engine and the javascript magic happens.

Re:Anyone using most email clients? (1)

FrostDust (1009075) | more than 4 years ago | (#32966794)

Don't most email clients let you turn off HTML rendering in received messages?

Re:Anyone using most email clients? (2, Informative)

amicusNYCL (1538833) | more than 4 years ago | (#32967206)

In this case the email client is the web browser. I'm not sure if gmail allows you to disable HTML in the emails you receive.

Re:Anyone using most email clients? (3, Funny)

JxcelDolghmQ (1827432) | more than 4 years ago | (#32967470)

I'm quite certain that it would be counterproductive to turn off HTML rendering in the most popular email client for gmail: The web browser.

Re:Anyone using most email clients? (1)

Graff (532189) | more than 4 years ago | (#32969134)

Don't most email clients that display html format messages use one of the popular rendering engines, like Webkit? Presumably the html portion of the message is just passed to the rendering engine and the javascript magic happens

Which is exactly why I ONLY view my e-mail in plain text. If your message has anything other than plain text then it better be a MIME attachment that I can validate BEFORE I open it.

HTML (et al.) are just bolted onto e-mail and it shows. If you want your e-mail to be slow loading, poorly-formatted, tons of obnoxious graphics, and full of unnecessary data then by all means turn on the HTML-in-e-mail features in your e-mail client. Just don't expect me to read it if that client doesn't send me a e-mail that gracefully falls back to a text-only version.

Re:Anyone using most email clients? (1)

TheRaven64 (641858) | more than 3 years ago | (#32975570)

Yes and no. When they pass the message off to the web rendering engine, they either set it to the 'really don't trust this' mode, requiring user intervention to load images and disabling scripts, or they strip these first. They used to just pass it straight off, but a string of email viruses in the late '90s put an end to this kind of stupidity.

Re:Who the F*** has javascript turned on their mai (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32966532)

Probably the same people who thought it would be a good idea to allow javascript to run in a browser.

Heyoooooo

Re:Who the F*** has javascript turned on their mai (1)

mark-t (151149) | more than 4 years ago | (#32966616)

Sure, but you have to explicitly go to a page to get the content of it... it isn't just sent to you without asking for it, like email is.

Re:Who the F*** has javascript turned on their mai (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32966816)

You have to open an email to access the javascript.

And if I do not necessarily want Javascript to run on a page I explicitly go to? What are my options? Disable Javascript of course!

Luckily for most people - Javascript is defaultly* disabled in most email clients, so the only reason this would be a threat is if its misconfigured.

*I think I just made that word up. I love english, you can form new words and people will still understand your message.

Re:Who the F*** has javascript turned on their mai (1)

Mephistro (1248898) | more than 4 years ago | (#32973298)

*I think I just made that word up. I love english, you can form new words and people will still understand your message.

Well, I guess that's more common than you think

The word 'defaultly' [ancestry.com] , I meant. :D

Re:Who the F*** has javascript turned on their mai (2, Insightful)

Wiarumas (919682) | more than 4 years ago | (#32966566)

I'd assume a vast majority of people don't even know what javascript is let alone why it is potentially dangerous. Sometimes you have to consider your users - which sometimes means you have to consider the ignorant, non-technical masses (ie: email users). Sure, you can feed them to the wolves, but it will come back and bite you somehow.

Re:Who the F*** has javascript turned on their mai (5, Informative)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32966596)

Nobody is allowing javascript in emails. This is a BUG in Gmail's code, not the user's fault. You use a browser to see your email. Spammers managed to somehow escape JS code and pass it through all of google's filters and execute it in your browser.

Re:Who the F*** has javascript turned on their mai (2)

Qzukk (229616) | more than 4 years ago | (#32966808)

This is a BUG in Gmail's code, not the user's fault

LOL no. I've been getting these spams for a week or so now. It looks like the usual undeliverable mail message, "see attachment for details", but instead of the attachment being an email message it's an HTML file. So the user clicks on Returned Mail.html and goes wherever the javascript takes them.

Re:Who the F*** has javascript turned on their mai (4, Informative)

weicco (645927) | more than 4 years ago | (#32967176)

I just tested this. I send a message to my Hotmail box with HTML file as attachement. HTML file contains single script tag with document.location = 'http://google.com' inside. I opened the mail and opened the attachement. Internet Explorer asks if I want to save "test.html" or open it. This should ring bells big time but I understand that normal user doesn't get it and goes and opens the attachment. So I went and clicked Open and was redirected to google.com.

Now if I save the file and try to open it from the local folder I get nice yellow warning bar telling me that the file contains An Evil Script and if I really, really want to open it I must explicitly allow the script to run. If I go and allow the script then I'm at google.com again.

It seems that this is a simple, direct and rather effective attack against Joe Averages who just want to get rid of the stupid warning dialogs and open up everything that is sent to them. If Google can come up with a generic solution for this, other than try to rip off every HTML tag from the mails and their attachements, I really applaud them.

Maybe the browser shouldn't be allowed to be redirected outside the current domain by default? But then again, there would have to be warning dialog for that and Joe Average would still be out of luck.

Re:Who the F*** has javascript turned on their mai (0)

Anonymous Coward | more than 4 years ago | (#32967388)

I would think that commenting out the tag would do it.

Re:Who the F*** has javascript turned on their mai (1)

Alex Belits (437) | more than 4 years ago | (#32970710)

And then you will have to determine how to comment it in some obfuscated sequence of comments, quotes and escapes that may or may not be formally valid and may or may not produce consistent results in multiple rendering engines.

Re:Who the F*** has javascript turned on their mai (1)

weicco (645927) | more than 3 years ago | (#32976050)

You're right. It would be horrible piece of script/code to write so that it a) removes all the Evil tags 100% and b) doesn't mess up any legit tag. I can think only one way to achieve this: the server itself would have to run the attachment(s) in a sandbox with multiple browsers and check if there's anything suspicious going on. I think it would kill the server.

Re:Who the F*** has javascript turned on their mai (0)

Anonymous Coward | more than 4 years ago | (#32967888)

I get nice yellow warning bar telling me that the file contains An Evil Script and if I really, really want to open it I must explicitly allow the script to run.

That's because IE's javascript engine treats javascript executed from the computer with extra privileges over javascript executed from the "Internet Zone".

Re:Who the F*** has javascript turned on their mai (1)

TheLink (130905) | more than 4 years ago | (#32968274)

> That's because IE's javascript engine treats javascript executed from the computer with extra privileges over javascript executed from the "Internet Zone".

Used to be you could modify that, not sure how it is like after Vista and Windows 7.

See this: How To Add 'My Computer' As the Fifth Internet Explorer Security Zone
http://support.microsoft.com/kb/555599 [microsoft.com]
http://support.microsoft.com/kb/315933 [microsoft.com]

If you make the security settings strict it breaks some Windows Explorer stuff in XP's "webview" mode. But it works fine in classic mode. In my opinion the classic mode is less likely to be exploitable than the XP "webview" mode, and I'm the sort who prefers classic mode anyway :).

Re:Who the F*** has javascript turned on their mai (1)

weicco (645927) | more than 4 years ago | (#32968402)

Yes, I know that. I was talking from the point of Joe Average who doesn't know a s**t. And my point was, you can add extra layers, warning dialogs and yellow warning bars as many you like for these kinds of attacks but still you have to give user to option just to run those scripts. Someone eventually runs them and the attacker has won.

Re:Who the F*** has javascript turned on their mai (0)

Anonymous Coward | more than 4 years ago | (#32967226)

Postini does a lot more than Gmail.

Re:Who the F*** has javascript turned on their mai (1)

AnonymousClown (1788472) | more than 4 years ago | (#32966622)

So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?

Software engineers who are even dumber than the users.

Re:Who the F*** has javascript turned on their mai (0)

Anonymous Coward | more than 4 years ago | (#32967790)

Not dumb. Just naive. They may be brilliant developers or software engineers. It's hard to call someone like that dumb except in the way Scott Adams does in his Dilbert books (where he describes people as idiots in one or more fields). It is really that they were naive and trusting ("who would want to attack people" type thinking)... It's too bad they weren't right about that though.

Everyone using a JavaScript-based webmail client. (0)

Anonymous Coward | more than 4 years ago | (#32966648)

Uhh, everyone using a JavaScript-powered webmail system like GMail or Hotmail or Yahoo! Mail will be checking their mail with a JavaScript-enabled email client.

Yeah, that's right. Web apps fail yet again.

Re:Who the F*** has javascript turned on their mai (5, Insightful)

interkin3tic (1469267) | more than 4 years ago | (#32966862)

I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

As always, this sentiment annoys me.

Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?

Re:Who the F*** has javascript turned on their mai (1)

blueskies (525815) | more than 4 years ago | (#32968614)

Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune.

Does that mean that no one deserves fortune either? Or if people deserve things because of actions they take, if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?

Re:Who the F*** has javascript turned on their mai (1)

interkin3tic (1469267) | more than 4 years ago | (#32969002)

Does that mean that no one deserves fortune either?

It does not mean that, no.

Re:Who the F*** has javascript turned on their mai (1)

Actually, I do RTFA (1058596) | more than 4 years ago | (#32969270)

Does that mean that no one deserves fortune either? Or if people deserve things because of actions they take, if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?

Fortune is due to many things, the actions you take are but one aspect. Therefore, it is a flawed assumption that fortune is something you deserve solely because of the actions you take.

Also, there is a difference between rewarding someone for contributing to society (aka, earning a fortune through cleaning windows and saving money) and punishing them. One is sharing the benefits of their effort with them. The other is going out of your way to hurt them. If people weren't evil bastards, there would be no need for the JS security model. But they are. So, the bastards have to be stopped, because they make life worse for everyone around them. In the physical world we give some people guns and tell them to go stop the bastards. In the electronic world, the technically proficient have to stop them. It's simple specialization of labor.

Why is what you're saying any different from me saying "I can take anyone's stuff I want, and people who are too lazy and weak to protect it deserve the misfortune of me taking it."?

Re:Who the F*** has javascript turned on their mai (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32969396)

if someone deserves fortune because they worked hard, doesn't that suggest that the lazy and ignorant deserve misfortune?

I suppose thats your implication. If someone deserves fortune because they work hard - that does not mean that someone who doesn't work hard doesn't also deserve fortune. Hate to be pedantic, but something being true does not mean the opposite is true. (Being good with my right hand does not mean being bad with my left, as there are people who are ambidextrous)

Re:Who the F*** has javascript turned on their mai (1)

Qzukk (229616) | more than 4 years ago | (#32966918)

The javascript is in a file attached to the email. I've got dozens of them in my spam folder. Here's the entire content of one:
Subject: Delivery Status Notification (Failure)
From: Mail Delivery Subsystem [mailer-daemon@my domain]

Note: Forwarded message is attached.

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

Delivery to the following recipient has been delayed:

        myself@my domain

Message will be retried for 2 more day(s)

Attached is "Forwarded Message.html", which has the obfuscated javascript in it.

It's pretty obvious, most of these claim I tried to email myself and it bounced. There's a second variant that uses a random "recipient" address, and an attachment named "Delivery Status Notification (Failure).html"

Re:Who the F*** has javascript turned on their mai (1)

antdude (79039) | more than 4 years ago | (#32967970)

What's the point of JavaScript in e-mails anyways? For HTML e-mails?

Re:Who the F*** has javascript turned on their mai (1)

dissy (172727) | more than 4 years ago | (#32968394)

Like, wow... just wow.
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

So wait, you are claiming that average Joe is supposed to automatically know better about technology than GOOGLE?!

And yet you are calling someone Else stupid?! Wow, just wow

Re:Who the F*** has javascript turned on their mai (0)

Anonymous Coward | more than 3 years ago | (#32974956)

So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?

Annoyingly, the answer is businesses.

My boss wants to send spam, uh, I mean legitimate business emails that look exactly like our website. He wants all the same logos, menus and layout from our site to appear in our marketing emails. More specifically, he wants his javascript roll-out menus, he wants his Flash marketing panels, he wants his funky JQuery effects.

He wants his emails to look like this, and so do thousands of other bosses. These are the people with the money, so these are the people that Microsoft has to support, so those are the features that get put into email clients.

Conversely, these same people really don't care that their customers' email clients are insecure as a result of these features. That's the customers' problem. And again, Microsoft has historically gone with the money rather than the doing the right thing.

And yes, I know there are other browsers and other email clients and other operating systems, but most people are still using these MS products, and as far as many bosses are concerned, it may as well be everyone using these products -- my boss doesn't care what the emails we send look like in any other software than Outlook. If it looks right on his screen, then it looks right on everybody's.

Nice way to hide a vulnerability ... (3, Informative)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32966560)

TFA should have read: "Google has found a vulnerability in its gmail code that could be used to execute arbitrary JS code in the user's browser".

Instead, they played that down and used the "we are fighting JS attacks" phrase as if that was normal or common.

Failing to properly escape JS/HTML/CSS in a webservice is a MAJOR vulnerability.

Re:Nice way to hide a vulnerability ... (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32966900)

"Fortunately, our spam traps were receiving these messages early, providing our engineers with advanced warning, which allowed us to write manual filters and escalate to our anti-virus partners quickly"

So - basically, it was being filtered to junk or spam, as most javascript enriched emails do.

"we are fighting JS attacks" is normal and common when you deal with a web service. All email clients (from Yahoo, to Hotmail to Gmail and byond) disable javascript by default. Only if you are misconfigured would you be at risk. But Google basicly now can filter out those emails based on their underlying code - so that if you WANT to run Javascript in your email, you won't be hit by this attack.

Re:Nice way to hide a vulnerability ... (3, Informative)

IamTheRealMike (537420) | more than 4 years ago | (#32966952)

No, the JavaScript is in an attachment. It's not being rendered by any email product.

WTF? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32966746)

If your email client even knows how to execute Javascript (let alone makes decisions about whose scripts to trust and whose not to), then you're doing something wrong.

What's next, are people going to start building javascript interpreters into grub, iwconfig, pvcreate and ionice?

Re:WTF? (1)

dbet (1607261) | more than 4 years ago | (#32968484)

For many, their email client is their web browser.

Pedantic (2, Informative)

amicusNYCL (1538833) | more than 4 years ago | (#32967488)

If Google is responding to existing attacks, wouldn't they be going on the defensive?

Disable active content already! (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32967500)

It's what I keep repeating time and again. Active content (Javascript, Flash, Java, ActiveX (ick!) is a very bad idea in a browser (an even worse idea in a mail reader). It's like having a gullible ward at the front door, willing to execute whatever instructions a complete stranger gives them.

Fuck "rich web experience". Rich means here "rich in exploits", nothing else.

And every "sandbox", "security container", whatnot -- just leads to a "Gödel, Escher, Bach"-style arms race [wikipedia.org] .

I have a dream. That people understand the Internet as a means of conveying useful information, not "rich", "web", "experiences" or whatever incongruent marketeer's bable is "in" these days.

Lawn and that.

Amazing (3, Funny)

dr. chuck bunsen (762090) | more than 4 years ago | (#32967672)

This is the exact reason that I NEVER use the internet. Just too dangerous these days...

Re:Amazing (3, Funny)

mcgrew (92797) | more than 4 years ago | (#32969068)

You're telling me! I damned near broke my wrist last week!

I'm still waiting for... (2, Insightful)

pongo000 (97357) | more than 4 years ago | (#32967776)

...an effective attack vector against mutt.

Postini is NOT GMail (2, Informative)

RandomFactor (22447) | more than 4 years ago | (#32967786)

Because of the confusion that seems rampant...

Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.

Re:Postini is NOT GMail (3, Informative)

stacysmomsmokesabong (1115599) | more than 4 years ago | (#32969376)

Because of the confusion that seems rampant...

Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.

Interestingly enough, Gmail doesn't use Postini unless you purchase Google Apps Premier and enable Postini for GApps Gmail. Gmail by itself uses its own independently developed anti-spam technology. This is straight from the horse's mouth @ Google Enterprise Support.

plain text (3, Insightful)

SgtChaireBourne (457691) | more than 4 years ago | (#32967834)

plain text : it was good enough for Shakespeare

Re:plain text (2, Funny)

Anonymous Coward | more than 4 years ago | (#32968028)

Nonsense, Shakespeare mainly wrote scripts. And to this day, there are problems executing them properly.

Re:plain text (1)

tool462 (677306) | more than 4 years ago | (#32971670)

And half the guys involved in running the scripts are pretending to be women.

Re:plain text (1)

martin-boundary (547041) | more than 4 years ago | (#32971826)

The hard part is casting the dog, though. There's always a small dog for comic relief.

Re:plain text (1)

jonaskoelker (922170) | more than 3 years ago | (#32975884)

Tell me about it, it doesn't even pass tokenizaton!

Re:plain text (0)

Anonymous Coward | more than 4 years ago | (#32971728)

Not true at all. Bill fluffed his works with an entire theater.

Just been hit (1)

dgriff (1263092) | more than 3 years ago | (#32976022)

Just been hit starting 30 minutes ago by a wave of delivery failure notifications but the preceding message (to which it is a reply) looks like one from me - spam to a bunch of people including some addresses I recognize. Gmail account now disabled. Seems a hell of a coincidence that this is happening just after this report about Gmail JavaScript problems. Never had anything like this before.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?