'Zombie script' deluges Internet Explorer 11 with pop-up alerts until user closes tab

A malvertiser’s dream come true.

'Zombie script' deluges Internet Explorer with pop-up alerts until user closes tab

A 'zombie script' could allow attackers to deluge Internet Explorer 11 users' browser windows with pop-up alerts until they close the tab.

Security researcher Manuel Caballero developed the script by taking a universal cross-site scripting (UXSS) bug and Same Origin Policy (SOP) bypass in Internet Explorer 11's htmlFile/ActiveXObject component, which he describes here, and pairing it with the web browser's pop-up alerts.

First, he figured out a way to bypass the "Don't let this page create more alerts" option by using the alert method from the ActiveXObject.

02 alert without checkbox

This script prevents a user from disabling the pop-up alerts while they're still on that page. Impressive...but Caballero wanted more. So he came up with a way to generate an unlimited number of alerts and display them to a user at the same time.

For his demo, he created 10 pop-up windows.

03 alert ad infinitum

More incredible still. But there was only so much fun Caballero could have with a user. He knew that once they navigated away from the page, the script would stop working and would therefore cease displaying pop-up alerts.

That is, unless he refined his code even further.

As he explains in a blog post:

"In order to make our code persistent (or a zombie script as some people call it), we need to keep a reference to the object that runs the script and make a call the window.open method. Those two things will make IE think it should not destroy the object because there’s still a reference to it. The good thing is that the reference can be in the object itself!"

04 zombie script 2

In other words, the code keeps running even after a user has left the page. The only way the alerts will stop running is if they close the tab.

This has lots of applications for attackers. For instance, tech support scammers could use the zombie script to convince users there's something wrong with their computer. Alternatively, attackers could use the code for a malvertising campaign.

Caballero elaborated on this point for Bleeping Computer:

"For example, imagine a malvertising campaign that sets this script and then forces users to make hidden requests to ads. [Y]ou [the fake advertiser] buy cheap inventory and then, keep rotating hidden ads for hours, until the user [...] closes the tab."

There's currently no fix for this issue. But don't worry, the script works with only Internet Explorer 11. If you're not tied to Microsoft's browser, you can protect yourself by switching to one of the well-known alternatives.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

No comments yet.

Leave a Reply