Sysinternals Freeware - Mark Russinovich & Bryce Cogswell

Mark's Sysinternals Blog

Popup Blocker? What Popup Blocker?

A couple of weeks ago I came across a site in my web wandering and had a popup. This, despite the fact that I’m running either Avant Browser or Maxthon. Avant Browser and Maxthon are applications that wrap Internet Explorer (IE) with all the features considered mandatory of a modern-day web browser, including tabbed browsing, enhanced popup blocking, advertisement blocking, skinning support, and a configurable search engine. So because I’m running Windows XP SP2 I have two popup blockers at work for me: the one built into XP SP2’s version of IE and that of the browser application.

I assumed that the popup was a fluke of some kind, and because I was busy tracking down some piece of information, I dismissed it and forgot about it until a few days ago when I came across another one at a pretty popular Windows information site. Popups are not only annoyances, but they can bait unsuspecting users into visiting “drive-by-download” web sites that try and deploy malware on a system by exploiting unpatched vulnerabilities in the visitor’s browser. I decided to investigate.

Within a short period of time my research took met to a thread in a discussion group where a poster reported that you can see dramatic example of popup blocker ineffectiveness at a particular URL. Before clicking on the link please note that the page only works on IE, there’s no malware posted on the page and you can terminate the demonstration by closing any of the browser windows:

I was stunned (and a little amused). If you look at the source to the page you see the reference to an ActiveX control class ID:


A little more research revealed this is the GUID for the Microsoft DHTML (MSDHTML) Editor ActiveX control that ships with every copy of Windows. The control is considered safe for scripting by Windows, which means that anybody can generate popups that bypass standard popup blockers by invoking its scripting interface. Here’s the invocation of its script interface that references a script on another page that actually creates the popup window and moves it around:


This control was the source of a major vulnerability related to cross-domain scripting discovered earlier this year and so has been patched. However, Microsoft chose to leave the basic script support in place and to have it ignore the Windows XP popup blocker settings.

While the DHTML Editor ActiveX control might have been the source of at least one of the popups I’ve seen get through the blockers, there’s a web page that will get popups past not only IE, but Firefox as well. You might have to refresh a few times since the popup generation is random:

This site uses a number of obfuscation techniques to hide what’s happening. First, it references a script on the advertiser’s (Tribalfusion) web page. In the reference it breakups the word "script", most likely to foil browser add-on script blockers. The trail as to what happens when that script executes went cold for me, but when Bryce Cogswell opened the page in his Firefox browser and used Firefox’s feature that let’s you view the objects loaded on a page he saw the Macromedia Flash object. Firefox by default will let popups generated by addons through, but if you disable that in the Firefox options menu it will stop Flash popups. Here’s a Firefox developer’s blog posting about the problem.

There are likely other ways to generate popups, but those are the two that I’ve run into myself. To be fair, both IE and Firefox let you configure them to either prompt you before executing scripts or other active content, or to block such content altogether. I suspect that the default settings let these types of popups through because blocking them would break legitimate sites.

I’m really surprised that we haven’t seen more use of these loopholes by popup-loving sites, including and, but I’m sure we will over time. But another annoyance I’ve been running into on a regular basis on these sites is the “popover”. These are DHTML scripts that create floating windows and also slip past popup blockers. While not quite as annoying as popups because they’re restricted to the browser frame they live in, they can also be rendered to look like Windows error dialogs that might take someone to a drive-by-download site when dismissed, and they can block the interesting content on a web page until you dismiss them.

While I encourage Microsoft to include popover blocking in the inevitable next IE hotfix, my hopes aren’t high. On one hand Microsoft is telling consumers that it’s on their side against annoying ads that interfere with web productivity and lure people to malware sites, but on the other hand they give the advertisers ways to get their ads through. Not only that, Microsoft itself is guilty of annoying consumers with the same techniques. Last week when I visited the Microsoft TechNet site to read about one of the patches released this past Patch Tuesday I ran into the popover shown below.

Microsoft needs to come up with a policy regarding web advertising, configure the browser to enforce the policy by default, and adhere to it themselves.

posted by Mark Russinovich @ 10:35 AM


I'd hope MS would take same stance on LONG-TERM usability of the web as it has done on security. Will be quite interesting to see what kinds of new annoying stuff will we see when Avalon becomes common.

For those few sites that really need popups and other annoyances it should be very easy to loosen up their settings, but only for the user, not programmatically. But the default would be the more strict behaviour that breaks sites. Eventually the sites will fix their abusive code when they notice it stops working on the majority of browsers.
Mark: The Avant Browser link ( and the link ( open Code 404's. Also, I have picked up some uninvited adware whilst visiting Maxthon and associated sites - have you or anyone else likewise?
I've fixed the avant browser link, but verified that the link is correct.

There's no malware on the avant browser or maxthon web sites.
For me both links were not able to pass the popup blocker in IE. That is because I run it with lower rights (since Michael Howard recomended SAFER technology). No mater user rights Firefox is fooled by the second link.
Microsoft should make running lower rights IE default configuration, not burried in the registry, where only a few people know about it.
But generally I agree that there should not be holes in the popup blocker, and Microsoft should not only recomend to web devs they should not use popups, but do not use them in their site. (I also saw this popover last week on the Technet site :( )
Mark... I too am an AvantBrowser fan... and I also cannot live without AdMuncher, a well crafted ad/popup blocker that proves that developers who pride themselves in writing tight code still exist! Check out some of the release notes for some interesting details on issues he's found with other internet software (McAffee, etc)that don't play by the rules when hooking the socket API's...

Oh, and neither of these pages you link to get by AdMuncher :)
I'd hope MS would take same stance on LONG-TERM usability of the web as it has done on security. Will be quite interesting to see spyware adware remover what kinds of new annoying stuff will we see when Avalon becomes common.
I visited the link you mentioned, and... Nothing.

I have the latest IE version, etc..., but I guess the reason I escaped the thing you're seeing is that I do not enable JavaScript or ActiveX by default. Only sites that I trust are allowed this luxury.

This happens to be the way IE is configured under Windows 2003 Server, but I had IE running like this even before Win2003 was a known entity.

I'll admit that my list of trusted sites is extremely long, but I find it helps me seperate the good site designers from the bad ones.

FWIW, Opera (8.01) catches the freerealtime popup.

Brian R.
None of these popups work on IE XPSP2 all patches nor Fifefox 1.03.

Its does work on IE XP SP1 however.
Hi Mark!

just a bit off topic: why does procexp generate so many pagefaults?

this becuase it makes even moe than maxthon(1.31) with 59 tabs open!
Since you are a leader in the software development industry and post a blog on how to make popups, don't you think a bunch of developers are now going to try to figure out how to make popups work with this new scheme? You practically spell it out for them.

At least your blog wasn't a re-hash of Chris Pirillo's "No more Popup Blockers" article.

Sheesh - all I came to the site for was an updated Filemon :)
here's another one,
This post has been removed by the author.
This post has been removed by the author.
I'm surprised you've never heard of Proxomitron. It's a filtering HTTP proxy that uses modified regular expressions to modify HTTP streams BEFORE they reach the browser. You can "personalize" any Web page in ways that go far beyond pop-up, ad, or cookie blocking.

Nevertheless, it does great at those things, too: while with my particular collection of enabled filters it doesn't stop the first demonstration, it could if I chose to have it do so, either unilaterally or selectively based on some portion of the URL, content type, etc. The second example site's pop-ups are stopped cold, in both IE and FireFox. I reloaded the page about two dozen times in each and never saw a pop-up. There are sets of user-created filters that are more aggressive than the ones I use.

I'll leave actually finding the program as an educational exercise.

Hi Mark. About Firefox and the link you provided to test the popup blocking, I want to tell you that despite Firefox's internal popup blocker inability to catch it, the truth is that Firefox would be much less useful if I hadn't installed the Adblock extension. Whenever I visit a new webpage, I click on the Adblock button on the bottom right corner to see a list of blockable items. Then I look for suspicious addresses and add them to the Adblock database using wildcards. In this specific case, I'll never see the popup in the link you posted because I already instructed Adblock to block the address "http://*.tribalfusion.*/" :) :) :)

Adblock requires an active user interaction to generate a considerable initial database (mine contains about 100 entries, including statistics sites), but after a few days of building it on the run I found that nowadays I almost never see a banner, ad or popup window :)
I've just switched form IE engine (actually Slim Browser) to FF and I'm not going back. I love AdBlock Plus! The user has full control. I block as close to the http header as possible and then use the "*" at the end as a catch-all. Also, NoScript is a great FF add-in. It blocks javascript globally by default and then you can choose to permanently or temporally allow it to run on a site.

After I temp allowed jscript on the realtime site, FF caught the popup attempts and blocked them (I'm running FF 1.05).

At, I didn't get anything at all.
I have been using a host file and filling it with as many ad-servers as I can find. I believe I have cut down on a lot of malware, but it is an uphill battle, you have to know the server to stop the ads.
Yes microsoft should think long term for a change.
For now, use Firefox.
I'm brand new to this Firefox / Avant Browser thing, and only tried it on a reccomendation. But I can see that both clearly allow or use adware to sponsor their sites. I have no fear of such things because I use Spystopper, the unsung hero of the Internet in my opinion, and the only ap I know of that blocks such things, however, I think I'll switch back to an Explorer browser. I don't like to feel lied to or spied on, and Avant says it contains no spyware. In my opinion, all adware IS spyware. I'm far too busy to have my browsing slowed down by someone whom I did not invite into my living room. At first irefox seemed faster, but now I am riddled with Tribalfusion and others spying on me regularly. I can watch it happen in real time on Spystopper. I'm really pissed!
I wonder why you despise popups, yet probably ignore commercials on TV or the Radio? Life is not free and how many sites to you pay to browse? donate any money to?

I am constantly amused by the ingenuity of marketers getting the message to consumers. Besides how many 'drive-by-downloads' have you fallen for? I doubt many who have are even capable of reading your post let alone understand it.

Sounds to me that you need 3 popup blockers or 2 new ones!
just want you know that the site put a lovely trojan on my computer.
jessica: no it didn't. get a better antivirus.
JR said...

I wonder why you despise popups, yet probably ignore commercials on TV or the Radio? Life is not free and how many sites to you pay to browse? donate any money to?

Wull, JR, that's because i ain't paying for the bandwidth i get those teevee ads delivered to me on.

Beyond that, why do you think TiVo and the like are so popular?

Popup blockers.
JR said...

I wonder why you despise popups, yet probably ignore commercials on TV or the Radio? Life is not free and how many sites to you pay to browse? donate any money to?

Wull, JR, that's because i ain't paying for the bandwidth i get those teevee ads delivered to me on.

Beyond that, why do you think TiVo and the like are so popular?

Popup blockers.
I'm no computer expert but I really loathe popovers and was dismayed when this morning I opened up a Yahoo! News article at only to have a popover, which somehow got past Firefox Adblock and Norton Popup blocker, appear over it. Worst of all the popover had no close button and wouldn't be moved. (It was hiding half the text of the article.) Reloading the page reloaded the popover too. Only when I restarted thee browser was I finally rid of it.
"I wonder why you despise popups, yet probably ignore commercials on TV or the Radio? Life is not free and how many sites to you pay to browse? donate any money to?"

Life is not free, however I pay a fortune for poor quality TV, and Broadband. Either all TV/ Internet should be free or we suffer Adds.

Why should we have to suffer both??
Why should we have to suffer both??

Because there is a mass of folks out there willing to pay for both. There was a time (it may be dating me) when "cable tv" was commercial free, that’s why it was desirable to get cable. Early FM radio was commercial free. However, even companies like XM radio claim "commercial free" channels, but they really are not. They plug their own services and equipment on "commercial free" channels all the time.

Until people just quit dropping money on this stuff, its always going to be there. Popups, and companies who produce such commercials, will always be there if there is a market.

Spam will always be there for the same reasons. If there is a slight chance that some fool will read it and bite, it will always be there.
Too many people think they are the customer, when in fact they are the product, being bound and sold in the statistical aggregate to the highest bidding advertiser.

Ponder on this point the next time you find yourself in the gutter of network television.
Safari had no problems
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

RSS Feed



Full Blog Index

Recent Posts

An Explosion of Audit Records
Buffer Overflows in Regmon Traces
Buffer Overflows
Running Everyday on 64-bit Windows
Circumventing Group Policy Settings
The Case of the Mysterious Locked File
.NET World Follow Up
The Coming .NET World – I’m scared
Services Polling when Process Explorer is Running
Explorer’s Registry Polling


03/01/2005 - 03/31/2005
04/01/2005 - 04/30/2005
05/01/2005 - 05/31/2005
06/01/2005 - 06/30/2005
07/01/2005 - 07/31/2005
08/01/2005 - 08/31/2005
09/01/2005 - 09/30/2005
10/01/2005 - 10/31/2005
11/01/2005 - 11/30/2005
12/01/2005 - 12/31/2005
01/01/2006 - 01/31/2006
02/01/2006 - 02/28/2006
03/01/2006 - 03/31/2006
04/01/2006 - 04/30/2006
05/01/2006 - 05/31/2006
07/01/2006 - 07/31/2006

Other Blogs

Raymond Chen
Dana Epp
Aaron Margosis
Wes Miller
Larry Osterman
Bruce Schneier
Larry Seltzer