A ‘zombie script’ could allow attackers to deluge Internet Explorer 11 users’ browser windows with pop-up alerts until they close the tab.
Security researcher Manuel Caballero developed the script by taking a universal cross-site scripting (UXSS) bug and Same Origin Policy (SOP) bypass in Internet Explorer 11’s htmlFile/ActiveXObject component, which he describes here, and pairing it with the web browser’s pop-up alerts.
First, he figured out a way to bypass the “Don’t let this page create more alerts” option by using the alert method from the ActiveXObject.
This script prevents a user from disabling the pop-up alerts while they’re still on that page. Impressive…but Caballero wanted more. So he came up with a way to generate an unlimited number of alerts and display them to a user at the same time.
For his demo, he created 10 pop-up windows.
More incredible still. But there was only so much fun Caballero could have with a user. He knew that once they navigated away from the page, the script would stop working and would therefore cease displaying pop-up alerts.
That is, unless he refined his code even further.
As he explains in a blog post:
“In order to make our code persistent (or a zombie script as some people call it), we need to keep a reference to the object that runs the script and make a call the window.open method. Those two things will make IE think it should not destroy the object because there’s still a reference to it. The good thing is that the reference can be in the object itself!”
In other words, the code keeps running even after a user has left the page. The only way the alerts will stop running is if they close the tab.
This has lots of applications for attackers. For instance, tech support scammers could use the zombie script to convince users there’s something wrong with their computer. Alternatively, attackers could use the code for a malvertising campaign.
Caballero elaborated on this point for Bleeping Computer:
“For example, imagine a malvertising campaign that sets this script and then forces users to make hidden requests to ads. [Y]ou [the fake advertiser] buy cheap inventory and then, keep rotating hidden ads for hours, until the user […] closes the tab.”
There’s currently no fix for this issue. But don’t worry, the script works with only Internet Explorer 11. If you’re not tied to Microsoft’s browser, you can protect yourself by switching to one of the well-known alternatives.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.