‘Zombie script’ deluges Internet Explorer 11 with pop-up alerts until user closes tab

A malvertiser’s dream come true.

David bisson
David Bisson

'Zombie script' deluges Internet Explorer with pop-up alerts until user closes tab

A ‘zombie script’ could allow attackers to deluge Internet Explorer 11 users’ browser windows with pop-up alerts until they close the tab.

Security researcher Manuel Caballero developed the script by taking a universal cross-site scripting (UXSS) bug and Same Origin Policy (SOP) bypass in Internet Explorer 11’s htmlFile/ActiveXObject component, which he describes here, and pairing it with the web browser’s pop-up alerts.

First, he figured out a way to bypass the “Don’t let this page create more alerts” option by using the alert method from the ActiveXObject.

Sign up to our free newsletter.
Security news, advice, and tips.

02 alert without checkbox

This script prevents a user from disabling the pop-up alerts while they’re still on that page. Impressive…but Caballero wanted more. So he came up with a way to generate an unlimited number of alerts and display them to a user at the same time.

For his demo, he created 10 pop-up windows.

03 alert ad infinitum

More incredible still. But there was only so much fun Caballero could have with a user. He knew that once they navigated away from the page, the script would stop working and would therefore cease displaying pop-up alerts.

That is, unless he refined his code even further.

As he explains in a blog post:

“In order to make our code persistent (or a zombie script as some people call it), we need to keep a reference to the object that runs the script and make a call the window.open method. Those two things will make IE think it should not destroy the object because there’s still a reference to it. The good thing is that the reference can be in the object itself!”

04 zombie script 2

In other words, the code keeps running even after a user has left the page. The only way the alerts will stop running is if they close the tab.

This has lots of applications for attackers. For instance, tech support scammers could use the zombie script to convince users there’s something wrong with their computer. Alternatively, attackers could use the code for a malvertising campaign.

Caballero elaborated on this point for Bleeping Computer:

“For example, imagine a malvertising campaign that sets this script and then forces users to make hidden requests to ads. [Y]ou [the fake advertiser] buy cheap inventory and then, keep rotating hidden ads for hours, until the user […] closes the tab.”

There’s currently no fix for this issue. But don’t worry, the script works with only Internet Explorer 11. If you’re not tied to Microsoft’s browser, you can protect yourself by switching to one of the well-known alternatives.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.