Users having an informed choice which is what they already have if they don’t update as they are beaten relentlessly by OS reminders and forum jockeys that tell them Apple knows better.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
JavaScript-Based Safari Ransomware Exploit Patched in iOS 10.3
- Thread starter MacRumors
- Start date
- Sort by reaction score
It is generally a good idea to completely turn off javascript and use private mode when searching for free movies/music and porn. The sites providing such things tend to be shady, and disabling javascript is a good way to protect yourself. Private mode ensures that stuff you searched for doesn't show up in your browser history later when you're looking something up in front of friends or family.
Sometimes such a site will demand you enable Javascript to proceed. This is a HUGE RED FLAG and you should move on to another site.
I know, but some folks don't.
Unfortunately most users don't know anything about security, there are still people replying to email asking credential to access the home banking and opening unknown attachments.
Anyone else seeing an ad for "Ransomware Defense For Dummies" while reading this thread?
Exploits of this sort are essentially web pages designed to behave badly. And by "behave badly," I mean to behave in ways that skirt or violate web conventions (like being able to close/dismiss a page at will). At one end of the spectrum might be "mouse-over" activation of media-rich ads (or so large on an iPhone screen that you can't help but touch them as you scroll) - these get served-up fairly regularly when I browse MacRumors. They're placed through Google and other legitimate advertising networks. I'd rather they didn't occur, and I'm sure if they annoyed me a bit more, I'd do something to defeat them.
At the other end of the spectrum are these "scareware/ransomware" popups that prevent closure altogether, or that induce people to unwittingly download adware and junk software. These are coupled with outright lies: "You have a virus! Do NOT close your browser! Call this toll-free number now!!" or "Your Adobe Flash is out of date. To view videos, download now." Along with phishing email, they're classic examples of marketplace fraud/crime.
Is it more likely these will occur at "shady" web sites? Yes. But before you blame the victim, very large numbers are victimized on the "legitimate" web, lured in by garden-variety clickbait. Should they be more discerning about which Google search result they click as they pursue free online games or funny animal videos? Sure. Some people are more easily deceived than others, but I doubt there's anyone who's 100% fool-proof.
This particular article makes it seem as if this "ransomware" is a new, novel exploit. It's really one of many exploits of the sort, many that have already been defeated by other browser patches and updates. This is just the latest in a series, and they will continue as long as technology changes - new tech brings new opportunities. Chrome and Firefox are even bigger targets than Safari, are just as likely to be susceptible, and have been patched just as frequently.
Exploits of this sort are essentially web pages designed to behave badly. And by "behave badly," I mean to behave in ways that skirt or violate web conventions (like being able to close/dismiss a page at will). At one end of the spectrum might be "mouse-over" activation of media-rich ads (or so large on an iPhone screen that you can't help but touch them as you scroll) - these get served-up fairly regularly when I browse MacRumors. They're placed through Google and other legitimate advertising networks. I'd rather they didn't occur, and I'm sure if they annoyed me a bit more, I'd do something to defeat them.
At the other end of the spectrum are these "scareware/ransomware" popups that prevent closure altogether, or that induce people to unwittingly download adware and junk software. These are coupled with outright lies: "You have a virus! Do NOT close your browser! Call this toll-free number now!!" or "Your Adobe Flash is out of date. To view videos, download now." Along with phishing email, they're classic examples of marketplace fraud/crime.
Is it more likely these will occur at "shady" web sites? Yes. But before you blame the victim, very large numbers are victimized on the "legitimate" web, lured in by garden-variety clickbait. Should they be more discerning about which Google search result they click as they pursue free online games or funny animal videos? Sure. Some people are more easily deceived than others, but I doubt there's anyone who's 100% fool-proof.
This particular article makes it seem as if this "ransomware" is a new, novel exploit. It's really one of many exploits of the sort, many that have already been defeated by other browser patches and updates. This is just the latest in a series, and they will continue as long as technology changes - new tech brings new opportunities. Chrome and Firefox are even bigger targets than Safari, are just as likely to be susceptible, and have been patched just as frequently.
As a developer I hope they don't.
Recently my iOS9 test machine was automatically updated to iOS10. And obviously had a problem happening on an iOS9 safari and not 10.
Since you can't expect the whole world to be up to date with the latest version, I'd rather have the possibility to stay on current devices and not have to go out of my way or pay for services (like browserstack) to test my own stuff.
While an automatic download of an update is certainly there, there really isn't any automatic installation of updates.
Lol. Perhaps that's the problem. I guess I'll have to tell my girl that I need some porn time to find those iPhone bugs.
On a side note, isn't it funny that unprotected sex can lead to catching bugs and viruses regardless of whether it's done live with another person, or solo while watching someone over the Internet.
Perhaps it's all designed to keep us honest. You'll have some explaining to do if you give your spouse an infection. And likewise, you'll have some explaining to do if the computer has a virus after you got up alone in the middle of the night.
Yes, Javascript is everywhere, but how hard is it to make sure the browser doesn't spam a dialog or popup window? Something that Apple has implemented on their end has to create that popup dialog or window, and they should be able to limit it at one point. I have a Safari extension that makes popup dialogs non-modal, and that alone prevents the problem no matter what Javascript is involved, so it's pretty pathetic that this is still a problem in vanilla Safari.
Here's another one: One webpage can use infinite RAM, and AFAIK this is common to all web browsers. So easy to limit, yet they don't do it.
[doublepost=1490752965][/doublepost]
Why not? They're asking for a ransom, so it's ransomware, even though it's garbage. "Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it." -Wikipedia
[doublepost=1490753101][/doublepost]
That's kind of how Steve Jobs built Apple. Works as long as the choice you force upon them is a good one... And my 16GiB iPhone auto-downloading an update to fill up all my remaining space is NOT a good choice. **** Tim Cook.
Last edited:
In my family, it's the grandchildren that run into trouble and have to ask grandad to help them out.
No comment.
[doublepost=1490780450][/doublepost]
No, it's ransomware, because your device _is_ unusable. The fact that some people know how to make it usable again doesn't stop it from being ransomware.
"Scareware" asks you to pay money for threats _that don't exist_. "You have a virus, pay us money" when you don't have any virus (or at least none that the scareware knows about or could fix). "You owe money to the IRS, pay us or go to jail" when you don't owe them anything, and wouldn't go to jail anyway.
I can read all kinds of things online. Various people posting anecdotal experiences thinking it was happening doesn't necessarily mean it was happening, especially when in quite a few of those cases people realized they were presented with an option to install and they selected to do it later which scheduled it to be done later vs. selecting not to do it at all or canceling it.