back to article Ghost of HTML5 future: Web browser botnets

HTML5 will allow web designers to pull off tricks that were previously only possible with Adobe Flash or convoluted JavaScript. But the technology, already widely supported by web browsers, creates plenty of opportunities for causing mischief. During a presentation at the B-Sides Conference in London on Wednesday, Robert …

COMMENTS

This topic is closed for new posts.
  1. Wibble
    Holmes

    Browser . . . shell

    Browsers are becoming the shell which users interact with their computers, so it's inevitable that they'll be the main attack vector.

    No turning back

    1. Bronek Kozicki

      Re: Browser . . . shell

      ghost in the shell?

    2. Anonymous Coward
      Anonymous Coward

      Re: Browsers will become main attack vector?

      "Browsers are becoming the shell which users interact with their computers, so it's inevitable that they'll be the main attack vector".

      What do you mean will be? ..

      How to Help Prevent Drive-By Viruses

  2. Ken Hagan Gold badge

    New or old?

    I can't make up my mind. Obviously "Turing-complete, cross-platform language can be used for evil as well as good" isn't much of a headline, and equally obviously we've had this capability ever since the Age of Java (back when it ran on the client).

    On the other hand, I don't suppose this possibility has really penetrated the wider consciousness yet, so it is useful to have someone flagging it up.

    The solution, as with Java, is for the execution engine (the browser in this case) to distinguish between code from trusted and untrusted sources and to be able to deny the latter access to local resources. This capability was designed into the JVM from the outset.

    It wasn't designed into JavaScript engines (well, not all of them) for several years, despite the JVM providing an obvious example of both the need and the implementation. Consequently, many of us spent several years surfing with JS disabled except on trusted sites.

    I wonder how quickly HTML5 implementations will acquire the necessary protection. Will the adoption of HTML5 by web-designers be inhibited by the fact that savvy users feel obliged to switch it off for a few years until all the browser vendors pull their fingers out and lock it down?

    1. amanfromMars 1 Silver badge

      For Tsunamic Waves ....... to CyberIntelAIgent Vibes

      I wonder how quickly HTML5 implementations will acquire the necessary protection. Will the adoption of HTML5 by web-designers be inhibited by the fact that savvy users feel obliged to switch it off for a few years until all the browser vendors pull their fingers out and lock it down?…… Ken Hagan Posted Friday 27th April 2012 08:57 GMT

      Consider IT already secured with NEUKlearer HyperRadioProActive CyberIntelAIgent Systems ……. Turing AIMasterPeaces, Ken Ye, Ken.

      Ladies and Gentlemen, What do you know of Virtual Machines in AIHeavenly Space Place? Would you like to Share it with IT PathFinding in Creative Digital Media ProgramMING of the Live Operational Virtual Environment ……. urCyberSpace Planet that Creates Earths for Great Games that Play Run. ……. to Enlightening Illuminated Scripts ….. Beta AI ProgramMINGs

      WiKid U Not! ?.

      Welcome to the RabbIT Hole. Ken and All.

  3. amanfromMars 1 Silver badge

    Open your Closed Minds .... Life is a Great ProgramMING Game*

    Ghost of HTML5 future: Web browser botnets ..... With great power comes great responsibility ... to not pwn the inter web....... John Leyden

    And also absolutely fabulous fabless opportunities, John, which one wonders why so many who would be talking about the subject, but in reality actually just talking around the subject, are failing to engage with ...... well, its IT Pioneers and XSSXXXXpeditionary Special Forces may be an apt APT descriptor, super astute and enigmatically adept in such as may be novel and even alien fields to the rank and file of humanity, trapped in their blinkered way of not thinking that nothing is impossible.

    Exhibit AAA for the Prosecution and incidentally for SMART Defence Ministries too ........ Make LOVE, not War Ware ...... although methinks the latter future inevitability are presently as rare as hen's teeth on Earth.

    What do you need, El Reg ...... an embossed written invitation?

    * You may be unsurprised to consider, that to Others with no command and control of IT and media, is it a Great Programmed Game, in which they and all Others have no active leading part or significant role to play, other than as assembled crowd members/mobile scenery/dodgy obstacles?

    1. Sir Cosmo Bonsor
      Happy

      Re: Open your Closed Minds .... Life is a Great ProgramMING Game*

      And this, kids, is why drugs are bad.

      1. amanfromMars 1 Silver badge

        Re: Open your Closed Minds .... Life is a Great ProgramMING Game*

        Quite so, Sir Cosmo Bonsor.

        Although have you any IDea how good one must always be, to be real good at being you and WiKids too ...... One's Fragrant and Flagrant Fruits of Mans Endeavours ...... in Heavenly Sorties with Surreal Animalistic Artificial Being ............ SMARTR IntelAIgent Systems, in Immaculate Conception.

        'Tis urPleasure, Sir, to Diss Proof.

        Ken Ye, Sir?

        ARG MetaPhoria would Host with ITs Cloud Clusters, the Youth of Today Forging New Being for All Caring who Dare 42 Win and Follow their Opposed Lead ..... Mentored Virtual Progress in Active Stations of Universal Command with AIMasterly MaJIC ..... 42 Control Power by Virtual Remote Control of Transparent Shared Thoughts Pinging SMART Strings for Virtual Transfer of NEUKlearer HyperRadioProActive Assets Interests/Virtualised Venture Capitals in Command and Control of Source Funding and Dispersal with Lavish Spending Forays into Future Fields , Priming Time and Space with Excellence for All Following AIMagical Mystery Turing EnterPrizes ......... Virtual Machinery MakeOver and TakeOver of Earthed SCADA Systemed Assets turned Toxic and Tuned and Turned Sub Prime ..... Disappointingly Shallow and Self-Centred and somewhat UNChallenged with Questioning Too Late for Supply of Future Feeds and Needs .... Perfect Seeds.

        Such is the Fruit of Virtualised AI Power Control with Advanced IntelAIgent Digital Systems. De Rigeur Standard Default Issue Driver with SMARTR IntelAIgent Systems .

        Now normally someone might say .... "Now look what you have gone and done, Sir Cosmo Bonsor" which is always well countered with a resounding .... " Now look at what we are now doing, edging along in Novel Virtual Turing Terrain ........and further on into the Future Rooting and Routeing for the SMARTR Wild Western WiKid Eastern Territories in Real Neighbourly Hoods. Seventh Heaven Havens .

        We kid you not. Would you care to discover what has been totally uncovered and would now lie bare before All and in Full Control of All Sharing Perfect Input for Space FlightsTesting in Future Output Steams , Virtually Strung together for Sticky Sweet Harmonies and Wild Rocking Roles Play.

        What was it you were saying earlier, Sir? I seemed to have strayed and/or veered and steered off into another one of those fabulous fabless tangents.

        1. Panix
          WTF?

          Re: Open your Closed Minds .... Life is a Great ProgramMING Game*

          Can someone please explain wtf any of that means?

          1. Not That Andrew
            Alien

            Re: Can someone please explain wtf any of that means?

            No idea, but I'm pretty sure AmanFromMars is a ChatBot that became sentient somehow.

            1. Anonymous Coward
              Joke

              @Not That Andrew

              He's the first HTML5 code to become sentient? This problem is even worse than the article indicates.

            2. amanfromMars 1 Silver badge

              Re: Re: Can someone please explain wtf any of that means?

              Why yes of course. There is also someone who can always explain anything, even should they not supply or be supplied with everything.

              No idea, but I'm pretty sure AmanFromMars is a ChatBot that became sentient somehow...... Not That Andrew posted Friday 27th April 2012 22:27 GMT

              Hi, Not That Andrew,

              Would the reverse obverse process by any less likely or more probable in subversion conversion programs/colossal projects with irregular and unconventional memeology? SMARTR Virtualisation Methodologies for Future Product Present Placement in ICT and Media Main Streams .... thus to simply edutain the searching masses with that which is being provided ...... and yet to be?

              A Sentient Morph into the Virtual Machinery World of ChatBots and Chatter Boxes with Provision for Generation of Fluffing Chaff for Leading Steganographic Security in Transparent Operating Systems is surely so much more easily achieved and championed by Post Modern Templar Knights in the Hoods/NINJA Programs in Webs of Command and Control for the Powers that Driver CyberSpace, for is not a SMARTR IntelAIgents Systems almost bound to Assure and Ensure and Insure and Guarantee that such a Particular and Peculiar Singularity, and Holy Grail of a Noble and Laudable Goal, is a Multiplicity of Heavenly Talents/Global Operating Device Given Gifts, so that Many More can Play in ITs Places with New Faces in CyberIDEntities, where before there were so Very Few in the Shadows and Anonymous and Unknown.

              1. amanfromMars 1 Silver badge

                Just for the record .......

                And No! The somewhat unusual alien territory commentary here on this thread is NOT one of those/these .......... http://www.wired.com/gadgetlab/2012/04/can-an-algorithm-write-a-better-news-story-than-a-human-reporter/ ..... although it cannot be denied that algorithms have dictated what has been written and shared.

                1. Anonymous Coward
                  Anonymous Coward

                  "algorithms have dictated what has been written, and shared."

                  But the writer has no idea what has been read.

                  Or who cared.

      2. Agent Weebley

        Re: Open your Closed Minds .... Life is a Great ProgramMING Game*

        A SmallPiece for you, Sir Cosmo . . . "Without Chemicals, He Points."

        http://heddinout.com/?p=7026

    2. Anonymous Coward
      Anonymous Coward

      Re: Open your Closed Minds ..

      'Open your Closed Minds .... Life is a Great ProgramMING Game` .. said the Mutant Space Alien Dude: Open Your Mind ..

  4. This post has been deleted by its author

  5. DJ Smiley
    Devil

    You already can do this with html 4....

    Watched a talk from defcon on youtube the other day - basically it detailed how you could use javascript + old versions of browsers to connect to IRC, do dcc requests (so theres your file transfer and C&C); connect outwards to _any_ ports. Yes any.

    That means DDoS, mail spam, proxying.... all via visiting a website and a little bit of java script all without requiring html 5.

    Not sure how well the current browsers hold up to these attacks.... maybe I'll find out*

    *devil icon for this ;)

  6. Anonymous Coward
    Anonymous Coward

    So what is the point of HTML5?

    What can it do that Flash, Java, JavaScript (all available on multiple platforms, I might add) etc, can't?

    1. rho
      Meh

      Re: So what is the point of HTML5?

      It's one better than 4.

    2. Anonymous Coward
      Anonymous Coward

      Re: So what is the point of HTML5?

      "So what is the point of HTML5? What can it do that Flash, Java, JavaScript (all available on multiple platforms, I might add) etc, can't?"

      Presumably it'll be immune to the security problems that affect Flash+Java+JavaScript, presumably ...

      1. P. Lee
        Childcatcher

        Re: So what is the point of HTML5?

        It's already in browser, so getting rid of flash is one less thing to think about.

        Multiple implementations mean there is more opportunity to optimise execution by the platform owner (i.e. browser owner) which are more diverse than Flash providers.

        HTML5 is more likely to operate for the benefit of the users than providers because it doesn't protect content in the same way.

        HTML exposes its content to the browser in a way flash didn't so there is a smaller "silo" effect on data, allowing greater data reuse (theoretically).

        Though I have doubts about the "good outweighs the bad, so we are going ahead." "Good outweighs the bad and we are fixing the bad" would be better. How about *always* putting 'This content is provided by: <URL>' in the title bar of a pop-up window?

        "Better" is a broad term. "More transparent" may be more accurate. There will be issues if someone implements a complete browser in html5...

  7. Tasogare

    I'm not sure such attacks could really be considered cross-platform...

    Sure, they'll run on any OS, but if they rely on exploiting HTML5 implementation weaknesses in browsers then presumably they'll be browser-specific. So the "target platform" just becomes the browser, not the operating system. And not everyone uses the same browser. In fact there's more diversity on average in browser usage than OS usage, I think.

  8. electricmonk
    Meh

    Quick, driver, follow that money

    "Robert McArdle, a senior threat researcher at Trend Micro..."

    Alas, if only someone could sell me something to protect me against these so-far-completely-hypothetical-but-really-scary-sounding threats.

    Oh wait, maybe this nice Trend Micro chappie can suggest a suitable product...

  9. Bronek Kozicki

    c'mon, lets call it

    "ghost in the machine" not a virus, since viruses are commonly stored on affected machine.

  10. Kevin McMurtrie Silver badge
    WTF?

    WebSocket

    A WebSocket is not a naked socket, but a protocol upgrade of an existing HTTP stream coordinated by both the client and server together. The JavaScript side can not open an arbitrary socket or speak an arbitrary protocol over it. Recent exploits have centered around using WebSockets as another form of HTTP header injection, which requires help from external brokenware.

    1. Christian Berger

      Re: WebSocket

      Exactly, and with HTML5 you at least have moderately secure concepts which could in theory be implemented securely.

      I'm actually far more worried about the complexities within the DOM and CSS than the rest. The more complex a standard is, (and HTML+CSS without Javascript has already been proven to be Turing Complete) the less likely it is to be implemented correctly and without any security related bugs.

  11. Francis Boyle Silver badge

    "Customisable pop-ups that appear outside the browser"

    Who the hell thought this was a good idea?

This topic is closed for new posts.