SoylentNews is people
SoylentNews
from the running-windows—I-mean-javascript—I-mean-malware dept.
From The Daily Swig:
A serious vulnerability in the latest version of Microsoft Edge [a Windows web browser ed] enables attackers to spoof URLs with just five lines of code. The flaw, discovered by Argentine researcher Manuel Caballero, can make a malicious website appear to be legitimate through the use of the Stop() command, which interrupts the page loading process. With the target URL still appearing in the address bar, the document.write() JavaScript command can then be used to overwrite the contents of the page.
[...] With this bug, probably the only truly safe way reach any website using Edge is to open a new tab and type the URL by hand, or access it through your bookmarks.
This vulnerability appeared in a recent "security" update from Microsoft; users of Edge might want to investigate what version they are using.
(Score: 5, Insightful) by JNCF on Thursday May 03 2018, @09:52PM (9 children)
(Score: 5, Insightful) by Gaaark on Thursday May 03 2018, @10:17PM (7 children)
Users of Windows might want to get a better operating system.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Flamebait) by Gaaark on Friday May 04 2018, @12:12AM (5 children)
So, an intelligent, insightful remark is flamebait?
Windows is a buggy, hackers-heaven of an operating system, and MS doesn't know what they are doing. Their developers are shitty and their security sucks.
Prove me wrong!
Flamebait my fucking ass. Prove. Me. Wrong.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by JNCF on Friday May 04 2018, @12:45AM (2 children)
I considered including something like your comment in my original post, but decided against it because while I gag at the thought of using Windows I recognise that some people have proprietary software needs that can only be met by Windows without building something from scratch. Edge doesn't offer this -- it preforms better than competitors at some tasks (or at least used to), but whatever differences there are in feature sets should be rectified before those features are used for anything other than demos. The only reasonable use case for Edge that I see is testing compatibility so that your site works even for broken users. I see horrifying-yet-reasonable use cases for Windows, like running some piece of hardware that requires drivers and software not designed for decent operating systems. Luckily I don't have to deal with these cases, so I only run Windows in Vagrant boxes for compatibility testing.
Just to be clear, I didn't mod you flamebait.
(Score: 2) by MichaelDavidCrawford on Friday May 04 2018, @05:35AM
I expect to get a USB 3 protocol analyzer sometime this year but to the best of my knowledge they only work with windows.
You need Windows to use TI's Code Composer Studio to write firmware on top of TI RTOS Kernel. I really enjoyed coding for DSP/BIOS, a previous name before they called it SYSBIOS and now TI RTOS Kernel.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Interesting) by Anonymous Coward on Friday May 04 2018, @10:42AM
> Edge doesn't offer this
Proprietary web interface to Oracle database that requires MS browser to view. The reason that it requires MS browser is because this is the only one that will accept the insecure "security certificate". I think it is an issue with protocol rather than signing authority - firefox doesn't give me a decent error message any more, but I don't think it can be worked around even by hacking firefox browser options. I know, it's a shitfest.
(Score: 2) by c0lo on Friday May 04 2018, @06:43AM (1 child)
You got it all wrong: that's a flamebait comment that happens to be intelligent and insightful (grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Friday May 04 2018, @07:41AM
Agreed. Definitely flamebait. Best flamebait I have seen all year.
Precisely aimed at the company that needs it the most too, no less....
I would not rag on them so much if the weren't whoring with the "invaders of privacy" so much. Its not the government I distrust so much, its all those damned advertisers I see daily prying at the eyes currently on their computer screens.
We have had to ditch TV. We saw what advertisers did to that. Its free, and its unusable until you run it first through a VCR. These aren't advertisers... they are masters of how to annoy people to no end. And my fear is that Microsoft, by making all these "security updates" mandatory, will find interstitial ad placements irresistible, just as television network executives did, and turn all of our computers into ad delivery channels to captive eyeballs... just as what has happened on YouTube.
Most advertisers are simply assholes. You give an advertiser a way to be obnoxious ( such as giving them the ability to autoplay media ), and by golly, they will do it with all the remorse of a Luminess advertising executive sentencing TV watchers to five minute ads for something they have no interest in. By God, they have the money, let's go for it and annoy the hell out of people, then if the people start turning en masse to technical avoidance mechanisms, let's throw more money at Congress to make those ad-avoidance maneuvers illegal by purchasing custom crafted law that enforces our wish list. Its kinda like a bar... how much can the bartender water down the drink before people simply give up and quit buying the drinks? How many minutes of ads per hour can we run before people get pissed off, abandon the media, and pirate the stuff - as they crowdsource the removal of all the annoyances we mixed in?
Stuff like adding doorbell sounds to ads is infuriating. I can't tell you how many times I have answered a "no-one is there" door, just because I happened to have the TV on.
(Score: 0) by Anonymous Coward on Friday May 04 2018, @06:25AM
"Score 5: Flamebait"
Beautiful.
(Score: 0) by Anonymous Coward on Friday May 04 2018, @10:48AM
Shhhh we don't want people to actually believe Edge is an actual web browser
it's crappy beta software intended to one day replace ie11 when it dies and perhaps one day it may do that when they release version 1 of it
(Score: 0) by Anonymous Coward on Thursday May 03 2018, @10:09PM (1 child)
Can't you ignorant cunts do anything right anymore?
(Score: 1, Informative) by Anonymous Coward on Friday May 04 2018, @02:34AM
Let's see ...
function security(edge) {
Stop() ;
}
Looks about right to me.
(Score: 4, Informative) by bob_super on Thursday May 03 2018, @10:40PM (10 children)
> What Website Are You Really on?
Silly question:
On SN, I can say I'm on SN.
Since I browse with Noscript, I'm usually on whatever the address bar says.
Most people and websites ? They're not "on" any website, but merely occupying a virtual space bounded by the 30+ VMs serving them scripts which display pixels and track activity.
Modern websites are not a "site". Using the standard house analogy, their foundation is a heterogeneous cluster of blocks from different multiverses, the walls are paper-thin and badly decorated, like a museum with too few art pieces and not enough explanation, and the roof is incomplete, but there's 20 cameras following you everywhere you look, though none intended to notice if you take half of the valuables into your pocket.
(Score: 5, Informative) by Fluffeh on Thursday May 03 2018, @11:24PM (7 children)
Lets not nit-pick.
When I am logging into my bank's internet banking, I am on "my bank's website". I don't care whether it comes from a single server, a small army of my bank's servers or randomly generated packets from pigeons indigenous to my part of the world. What I do care about is that when I am entering my details, they are going to my bank - not to some other site.
This Edge flaw is dangerous as it is indeed easy enough to write malicious code that can capture usernames and passwords easily and do so without the user being aware that they were even lifted.
1. User is on malicious site. Starts typing in their banking URL and thinks they are going to the banking site.
2. Site captures the request, stops legitimate bank site, creates a render of the login screen.
3. User enters username and password.
4. Generic "Your details are incorrect, please check for typos etc" message is displayed and user is redirected to legitimate banking site login.
5 User successfully log into their banking site, thinking they must have typo'ed their username and thinks nothing of it again.
Their actual username and password were however captured neatly and cleanly in step 4 - to be used as needed or sold on some shady marketplace.
(Score: 4, Insightful) by bob_super on Friday May 04 2018, @01:14AM (6 children)
Why not nit-pick ?
The responsibility of delivering clean code without nasty tag-alongs should be legally enforced on the website you visit.
Right now, people just grab executable code left and right to build their site, security is a friggin nightmare, and the place you thought you visited is never responsible when bad things happen.
Real-world commercial insurance covers your ass when some third-party screws up while you are in a store (the store is responsible when the A/C conduit crushes you, then sues the contractor who installed it). Online ? You're on my site, but yeah, not really, you see, because it's not my fault that someone injected malware in the ad trackers, and I can't do anything about it, you see...
(Score: 0) by Anonymous Coward on Friday May 04 2018, @01:28AM (1 child)
(Score: 3, Insightful) by requerdanos on Friday May 04 2018, @02:30AM
Yeah, that's what this story is about. Nit-picking over whether you are "on a website" or "looking at data loaded from somewhere linked by a script loaded from the website."
Given that many websites aren't "sites" so much as agglomeration of scripts from dozens of servers each with its own tracking and misfeatures, this is a very, very fine distinction indeed.
(Score: 1, Troll) by realDonaldTrump on Friday May 04 2018, @04:31AM (2 children)
We have to see Bill Gates and a lot of different people that really understand what's happening. We have to talk to them about, maybe in certain areas, closing that Internet up in some ways. Somebody will say, "oh, freedom of speech, freedom of speech." These are foolish people!!
(Score: 1, Interesting) by Anonymous Coward on Friday May 04 2018, @08:05AM (1 child)
I don't think even Bill Gates knows what is happening anymore. Actually, I don't think *anyone* does.
Its become that big elephant that a lot of blind people are trying to describe... and all this "intellectual property" law regarding obfuscation and ignorance of how things work isn't helping one iota. Ignorance of how biology works does not help one iota for having a populace resilient to spreading of diseases.... nor does all this ignorance of how our technology works make our computational infrastructure resilient to outside attack from those who do not obey our "ignorance mandates by Congress".
But yet I realize how important our ignorance is for someone who wants to force-feed us ads, knowing we can't do anything about it.
And its also very important to have an ignorant populace if you want to hack into our power grids, elections, traffic control, commerce, banking, whatever.
To keep our population dumbed down requires a concerted effort by those empowered to craft law to keep knowledge away from the populace, so that those not under forced obeyance of that law can have the upper hand. Yes. Passed by the Congress of the United States of America.
Its gonna be interesting if they keep poking at China, and China decides to stand up, then we find a lot of our technology suddenly stops working - and no one knows why - as mandated by LAW passed by our own Congress.
Its simply not apparent to me that our Congress has much concern for the technical literacy of its populace, and wants us to know just enough to know how to buy stuff and listen to ads, while very few people, many outside the jurisdiction of our Congress, know the inner details of how the stuff works.
I see the Linux die-hards here being the last vestige of "do-er ship" outside of giant multinational corporations that hold no allegiance ( other than whoreship to the US Dollar - as long as the bankers are backing it ) to the United States.
(Score: 2) by realDonaldTrump on Friday May 04 2018, @06:17PM
The security aspect of cyber is very, very tough. And maybe it's hardly doable.
(Score: 2) by All Your Lawn Are Belong To Us on Friday May 04 2018, @01:44PM
I think you're right, bob_super It opens up a disconnect just a little for whom you consider "responsible" when you go to a website and are served something you didn't want (like malware, malvertising, whatever.) Who is repsonsible? When third-party ad services do it, the URL owner will happily point the finger.
To me, "what website am I on," is tantamount to saying, "Whom can I take action against, legal or otherwise, for what is being displayed to me?" And it wouldn't surprise me when there are cases when that is not the registrant of the address showing in my bar. It would be nice if there was a common-sense layer that let the address bar be solely responsible, but I fear that way lies SOSTA etc.
This sig for rent.
(Score: 2) by stormwyrm on Friday May 04 2018, @01:24AM (1 child)
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Friday May 04 2018, @08:22AM
That bit about not being able to trust the address bar was the first thing that sullied my acceptance of JavaScript.
I took a class in JavaScript at the local Community College, and when I learned the mischief I could do with it, I failed to see why ANY "Reputable" business would have it on their site. I saw it as the language of tinkerers, pranksters, and thieves. In all my naivety I never thought that ANY reputable business would have anything to do with it. To me it was like a child care business hiring known sex molesters ( well, because they showed an "interest" in the kids and worked for cheap. )
Yet, on the web, the "child care" businesses got Congress to approve "hold harmless" for them, and hired these molesters right and left, hence we have all this malware spreading via hostile "ads"- as sending your customer content by an "ad" is still seen as a businesslike and hold-harmless thing - and they know our Congress is too weak-willed to tell the business community things like "You straighten up your act, or all that legislation you has us pass about criminalizing reverse-engineering content is OUT THE DOOR! Those people are only trying to protect themselves from the crap you are sending them!". Even though Congressmen love to bandy the term "Elect ME and I will FIGHT for you!" before an election, I don't see too many putting up much of a fight for anything once they are in office. The Congressional hand extends, and if there is money in it when it retracts, it will sign a "law" into effect. And we are all expected to obey it, even though its a one sided law, deliberately crafted to give one side artificial enforced monopoly.
One guy ( I believe on this site ) made an insightful observation... something down the line of " In its magnaminous equality, the LAW equally forbids both rich and poor from sleeping under bridges."
(Score: 2) by black6host on Thursday May 03 2018, @11:00PM (3 children)
Microsoft strives to make it's users happy. It provides all kinds of time saving code in an effort to make every user's day as easy as possible. I mean really, think of it. Happy malware writers can knock off early having completed their tasks in record time! Yay!!!!!
(Score: 2) by takyon on Thursday May 03 2018, @11:18PM (2 children)
If malware writers are the users, then who's using the browser... the products! The products are being used by the browser!
So I guess the true test here is to see who can get access to updates. Are there some Windows 10 users who won't quality for support much longer?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Friday May 04 2018, @09:41AM (1 child)
I thought the whole idea behind Windows 10 is that support would be infinitely forthcoming.... well as long as Microsoft as a corporation remains viable.
But, in exchange, you give up control of your machine to Microsoft. Kinda like giving up your car to some corporation, then asking them nicely if you can drive it somewhere - they will know where you went and every detail of your trip.
In addition, you agree to pay whatever they may bill you for in the future, or forfeit your car.
You will also agree its ok if they later start sending you ads, and your car may not run until you acknowledge them. Using your computer will likely become just like trying to watch a show on TV. If some bastard can buy a five minute ad - about the best you can do is eat your lunch, shave, pee, or whatever, because that business has paid for the time to annoy you, and there ain't much you can do about it.
(Score: 2) by takyon on Friday May 04 2018, @12:03PM
I remember. And maybe it's feasible. But I don't think they will hold to that, or that most computer users care or know about the promise(s).
Old hardware will still be kicked to the curb eventually, and the OS itself could undergo major UI changes without the version number being bumped up:
https://en.wikipedia.org/wiki/Windows_10#Updates_and_support [wikipedia.org]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Thexalon on Thursday May 03 2018, @11:21PM (3 children)
Quick! Let's get to phishing into important email accounts and sending their mail to Wikileaks! At least let's nab Satya Nadella - if Microsoft's CEO won't use Edge, neither should anybody else.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Friday May 04 2018, @12:39AM
What useful things would you find in his account? A list of the best streets in Richmond for shitting on?
(Score: 2) by stormreaver on Friday May 04 2018, @01:56AM (1 child)
I think we should contact both Edge users and warn them.
(Score: 2) by c0lo on Friday May 04 2018, @07:30AM
I would, but while I can get in touch with Nadella, I lost contact with Ballmer - since the time he wasn't after developers any longer.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Touché) by arslan on Friday May 04 2018, @12:02AM (4 children)
It is out before the vulnerability is even discovered, download here [google.com.au]
(Score: 2) by JNCF on Friday May 04 2018, @02:33AM (1 child)
That's not a browser. That's a browser. [youtu.be]
(Score: 0) by Anonymous Coward on Friday May 04 2018, @05:51AM
Not sure if Crocodile Dundee showing off to a date by pulling out a bigger knife then the (mugger) black guy is the closest thing to a dick size contest a white guy can win or just stupid. Moreover, do you call it ozploitation? whitesploitation? I'm sticking with just stupid.
(Score: 0) by Anonymous Coward on Friday May 04 2018, @11:26AM (1 child)
Dude, you're link is borked. try this one [mozilla.org]
(Score: 0) by Anonymous Coward on Friday May 04 2018, @02:56PM
dude, your "your" is borked
(Score: 3, Insightful) by aristarchus on Friday May 04 2018, @08:01AM (4 children)
And by this, I do not mean Boudecia, the Queen of the Iceni, who very nearly kept the nasty Romans out of Britannia! No, I mean keeping the Gates out of the Internets! If you are still using Windows, you must be a shill. If you are still using windows, and deny being a shill, you are a shill. If you are one of those pathetic slack-nut gamers who claim you only use Windows, because, . . . you are a Micro$erf shill. I am sorry so many of our Soylentils are Microserft shills, truly I am. But they made their own choice, and just because they cannot tell if a URL is spoofed or not, I should get my panties all up in a bunch? Death to Microsoft! Impeachment to Trump. And deposition for TMB. We need to know what he knew, and when he knew it. Seriously!!
(Score: 1, Insightful) by Anonymous Coward on Friday May 04 2018, @08:41AM (1 child)
I believe most of the Microsoft users are that way due to sheer IGNORANCE. I did not say Stupidity. IGNORANCE is only the lack of knowledge - which is quite fixable - but it takes time.
That is why Microsoft and Apple want to be in the schools. Like a language, one has a tendency to stay with the one he grows up with. And few of us ( if any ) were exposed to Linux in the school system.
Remember when Microsoft would run amuck with the law, then "atone for their sins" by donations to schools?
Well, this is what came of it. "Win-Win" so to say.
I don't think people are going to change until Microsoft does what the Cable Companies are doing to encourage cord-cutting. If Microsoft will start putting mandatory unskippable interstitial ads into our computers, maybe they can piss off enough people to cord-cut over to Linux to avoid all the wasted time. You know the Advertising industry must have their hand-shakers swarming all over Microsoft by now, in the same manner they swarmed all over commercial public over-the-air television, rendering it into an unwatchable mess of ads, viewable only if you have the technological assistance of a VCR. In a way I am counting on Microsoft Executives being just as gullible as Commercial Broadcast Executives when it comes to succumbing to the Advertisers - making a vast wasteland of crap trying to find the one person who might buy something - but alienating everyone else to do it.
Much like the bartender who keeps watering down the drinks until no one shows up at his bar anymore.
Its a positive feedback loop... TV ad price drops to make television advertising a "bargain", which only discourages people from watching, which further devalues a television ad. This will go on until the Director of Progarmming at the Television Station considers their viewers time as having no value, while his station also has no value. Nobody's watching. Both camera and mic are routed to dev=null.
(Score: 3, Insightful) by Gaaark on Friday May 04 2018, @11:29AM
>>> And few of us ( if any ) were exposed to Linux in the school system.
I certainly wasn't, but I got tired of getting kicked in the nuts over and over again (IE crashing all the time, and BSOD until I could screeeeeeeeam) and I searched out alternatives.
THAT'S when I found Linux and never looked back.
I can't believe people voluntarily still use Windows: if I had to for a certain program, it would be inside a VM in Linux. That way, when I was done, I could close that Window and open the world.
Come on people...grow. up.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Touché) by Anonymous Coward on Friday May 04 2018, @01:39PM
Or an employee with zero influence on the decision which operating system to use.
(Score: 0) by Anonymous Coward on Friday May 04 2018, @02:54PM
close but no cigar