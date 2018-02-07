Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Sign up for the Slashdot Daily Newsletter! DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. IMPORTANT: We need just #OneMoreVote to win a CRA resolution to block the FCC's repeal of net neutrality. Contact your lawmakers now! ×
Chrome Privacy Security The Internet

Scammers Use Download Bombs To Freeze Chrome Browsers on Shady Sites (bleepingcomputer.com) 63

Posted by msmash from the security-woes dept.
An anonymous reader shares a report: The operators of some tech support scam websites have found a new trick to block visitors on their shady sites and scare non-technical users into paying for unneeded software or servicing fees. The trick relies on using JavaScript code loaded on these malicious pages to initiate thousands of file download operations that quickly take up the user's memory resources, freezing Chrome on the scammer's site. The trick is meant to drive panicked users into calling one of the tech support phone numbers shown on the screen. According to Jerome Segura -- Malwarebytes leading expert in tech support scam operations, malvertising, and exploit kits -- this new trick utilizes the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to achieve the "download bomb" that freezes Chrome.

Scammers Use Download Bombs To Freeze Chrome Browsers on Shady Sites More | Reply

Scammers Use Download Bombs To Freeze Chrome Browsers on Shady Sites

Comments Filter:

  • Who's to blame? (Score:1, Flamebait)

    by mrbester ( 200927 )

    An immediate concern is why a method with a Microsoft specific vendor prefix is implemented and targetable in Chrome in the first place.

    TFA doesn't mention anything about IE/Edge being affected. If it is that would be understandable. They might not have checked, but there is also no reference to any other OS than Windows. Does that mean that msSaveOrOpenBlob is only implemented on the Windows version of Chrome and if so, why?

    • Re: (Score:2)

      by AvitarX ( 172628 )

      On Apple it causes a hang warning with an option to force close, doing so kills only the tab in question.

  • Use a piece of malware which hides everything from you and you're bound to be another victim.

    • Re: (Score:2)

      by wbr1 ( 2538558 )
      Chromium is open... what are you blathering about?

      • Re: (Score:2)

        by HiThere ( 15173 )

        Well, Chrome is not Chromium, but my guess is what he meant was that MSWindows has one application grab the entire screen, the way Gnome3 does. (I think I heard that Gnome3 copied that atrocious idea from MSWindows).

  • Wouldn't renice 32 -p $pid fix it for linux/unix?

  • msSaveOrOpen on Chrome? (Score:1)

    by Anonymous Coward

    The ms prefix is a clue that it is Microsoft-only

    navigator.msSaveOrOpen doesn't exist for either Chrome or Firefox

    Nice try, no cigar.

  • When a download is initiated by javascript, the browser should pop up a simple dialogue (non modal, but otherwise an "on top" window so they can continue to otherwise use the browser) to confirm the download with a yes/no. Permit only one of these dialogue windows at a time. Other threads wanting to pop up the dialogue can be suspended until the current dialogue is dismissed Threads requesting a download can be handled on a first come first serve.basis.

    • Chrome actually does do this.

      When I use JS to initiate multiple downloads, Chrome detects this, stops it, and asks me to continue.

      This article is really about IE.

      • Re: (Score:1)

        by Anonymous Coward

        No, it's about Chrome. The example in the article is Chrome. It is entirely possible that the vulnerability comes from Chrome trying to re-interpret an old MS specific HTML instruction, but it is a Chrome issue.

    • When a download is initiated by javascript, the browser should pop up a simple dialogue (non modal, but otherwise an "on top" window so they can continue to otherwise use the browser) to confirm the download with a yes/no. Permit only one of these dialogue windows at a time. Other threads wanting to pop up the dialogue can be suspended until the current dialogue is dismissed Threads requesting a download can be handled on a first come first serve.basis.

      A thousand times: NO!

      Been there, done that, you implement something like that, you end up having to click NO a jagillion times to dismiss all the queued up downloads. Stupid.

      • Re: (Score:2)

        by mark-t ( 151149 )

        No, you don't.

        As I said, the dialogue is not modal, so there is nothing stopping you from closing the offending page when one of these pops up without necessarily closing the entire browser. Before the dialog even opens, the thread that is opening the dialog can interrogate the client to see if the web page that spawned it is even still active. If it is, then it proceeds, but if not, then it aborts without even showing the dialog at all. Only one of these would ever be shown at one time, so you don't

  • window.navigator.msSaveOrOpenBlob (Score:5, Insightful)

    by zifn4b ( 1040588 ) on Wednesday February 07, 2018 @11:58AM (#56084153)
    Only works on Microsoft browsers. I don't see a problem here.
  • Hard-code this into web browsers' error messages.

  • After a few seconds of viewing the headlines, a scammy popup ad will dominate the screen and prevent you from clicking on any link on the site.

Slashdot Top Deals

Don't hit the keys so hard, it hurts.

Close