Slashdot Mirror
Java/Script Alert: Cross-Platform Browser Vulnerability
Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are
vulnerable
to remote command execution. This has been tested on Microsoft,
and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)
I'm going to stick my neck out here and say, What.In.The.Hell? Who's the editor on-duty here, an Onion stand in?
First of all, the example made is JavaScript, not Java. Second, the example shows how to bring up a page 23000 seconds after they left the page. Not good, but not new either. So what's the big deal?
A programmer is a machine for converting coffee into code.
Java is NOT THE SAME THING as JavaScript.
Come on slashdot editors, it's not hard to know the difference (this is in reference to the article title).
</rant>
- tristan
If you can't be bothered to write out entire words, don't post articles to slashdot.
It's not like you were tight on space there.
WHAT, exactly does the Java security model have to do with JavaScript--an unfortunately named, but totally different, animal?!
His anouncement is unfortunate in its proclamation that the problem is with Java. In reality the problem is with Javascript. While the names may be similar, java and javascript are unrelated. This is a Javascript problem, not a Java problem.
mp3's are only for those with bad memories
Does this mean I have to download a patch for Mozilla tomorrow to fix this? ;-)
Twenties Retirement
How his this irony?
MABASPLOOM!
That's not ironic. It's unusual, yes, but not ironic.
Can anyone who knows about this sort of stuff point to a more credible analysis?
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
There was a relevant message from Dan Veditz, of the Mozilla securitygroup, on the full discolsure list just this morning. I'd post the text but the lamesness filter doesn't like it. You can read it here.
I believe Safari is also immune to this.
Nothing from nowhere I'm no one at all
Headline says Java, writeup says JavaScript, Hemos update references both. Turning off JavaScript does not affect the Java plugins. Turning off the Java plugin does not turn off JavaScript.
So which is it?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Thats OK, I couldnt even install the java plugin on linux, because apparently the java plugin was compiled with pre 3.X gcc and mozilla 1.4 itself was compiled with gcc 3+, is there a compatible java plugin for recent mozilla somewhere?
US-UK-Israel: The real Axis of Evil
Hmmm...the first exloit didn't work, and the second took me more than five minutes to wait for the .class to download so I aborted.
Maybe I'm one of these linux admins actually patching their boxen?
konqueror doesn't show this - whatever you call it.
The coolest voice ever.
that this is a troll by the bugtraq poster to confuse people on the Java JavaScript issue?
There is no problem with the Java security model. The worst that can happen is a bad implementation of it allows applets to do something they're not allowed to.
But this isn't even about Java, it's about Javascript. Had it been about Java, you'd see a list of affected Java Virtual Machines, not browsers.
meme-boi wrote:
1 32
> Synopsis:
> --------
>
> Opera, Mozilla & Netscape with javascript enabled are vulnerable
> to remote command execution. This has been tested on Microsoft,
> and many many Unices. Macintosh may also be vuln.
The exploit example you give is not remote command execution but rather a
violation of the same origin policy. Unless there are additional details you
are withholding this same flaw was reported on Bugtraq April 15
http://www.securityfocus.com/archive/1/318777
and fixed in Mozilla 1.3
http://bugzilla.mozilla.org/show_bug.cgi?id=201
> There are many, many more issues than I have discussed. The minimal
> release is for giving the blackhats time to play.
If instead you'd like to give the whitehats time to fix them details would
be gratefully received by "security" at "mozilla.org"
-Dan Veditz
Mozilla security group member
Whoever wrote this article has a third-grade knowledge of English and way too many rap CDs. "Werd"!!!
-
"This must have been posted by Microsoft as FUD to get people to stay away from superior products! It's all a trick! Don't listen!"
-
"What's up Taco? I thought April Fools had passed!"
- "Javascript serves no purpose ever, and why anyone would ever use it is beyond me!"
- "This is why we should all be using IE. I've never had a problem with IE security! Linux [l]users sux0rs!"
Did I miss any?It also means that this wont be a security problem for anyone with Privoxy installed.
But anyway, doesn't this mean that all those pr0n sites with popups can hack your computer? Oh, doh, we already knew that ;)
What is the point of the internet?
If you ask questions, one day you may disa...
if you turn off JavaScript, you turn off the vulnerability.
Man, talk about a one-liner to give the anti-Java folks.
The coolest voice ever.
I just tested with both Safari v74 (1.0b2) and v48 (1.0b), the example hack provided in the link did not work.
I was going to complain that I used that exact same text and the lamesness filter rejected it for 'too much whitespace'. But I just realized my terminal was copying the trailing white space on each line when I copy from Pine. Doh.
Let no hat, black white or grey, wander in on or about the www without fear.
...Red's up in the air, then?
So are your chances of getting laid before thirty. Time for a prostitute or a switch to the other side.
The AC modded as a troll has a point though. I was at a site today, won't pimp the URL (suffice to say it's a Golf related website). Anyway, I ALWAYS surf with Java off, but a friend said to check the site out, so off I go to discover no menus... I assume it's Java so witch Java on. I wait for about 20 seconds (this is on DSL) and see the craplet loading and it loads... A menu which, in a couple of places, could have been done in Javascript, and the rest with plain images and HTML. Quite possibly the worst abuse of Java I've seen.
It seems a lot of web designers need to consider the credo "Just because I can, doesn't mean I should."
Just FYI: you can get a gcc 3.X compiled java from www.blackdown.org
" The user base for these two browsers combined is infinitesimal compared to IE. It thus stands to reason that all of the bugs and vulnerabilities of these browsers lay dormant, "
It would seem to me that the opposite is true. Mozilla goes out of their way to make it easy to report bugs and problems, while with MSIE all there is is a feedback thing buried in the Help menu that is likely a black hole resulting in nothing but spam.
Microsoft has a habit of leaving bugs and problems in place for years, while the Mozilla guys appear to be much more responsive. After all, they killed popups for their browser.
In other words, it seems to me that Mozilla has a much better and much more developed "improve the product and get rid of bugs" system going than Microsoft does for MSIE.
(I'm still waiting for MS to turn on the "bottom of the browser line that shows links, progress, etc" that they removed.)
"You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers"
The Mozilla guys are much more accountable: look at the forums they have for dealing with problems. Also, they have to be accountable or people will choose "No Mo' !". In contrast, Microsoft does not have to be accountable with MSIE: whether or not anyone likes it, they give it away as the default browser on just about all PC's.
Don't blame Durga. I voted for Centauri.
At first blush this seems plain wrong.
There's not really enough evidence in the post to go on, but the example exploit is pure nuisence java script, which has nothing to do with java
Reference is made in the text to ancient *java* bugs, but no detail is given as to how they might be related to the current, claimed bug.
If there's more here than meets the eye I'd like to see it, but there doesn't seem to be any meat in this announcement, it seems to be just a historical retrospective and an annoying-but-not-dangerous-or-new snippet of javascript.
Am I missing something here?
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird.
I have an infected toenail. It is real sick with lots of stinking puss and black fur.
Should I...
A: Take AB Meds
B: Cut it off
B?
> which allows a remote site to read any file on the
> client machine
I doubt that.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
The exploit involves both Java and Javascript. It seems to involve having the user execute a Javascript program, which downloads a non-sandbox Java class file.
as reported on the full disclosure list, this doesn't let blackhats execute remote commands (or local, depending on your view point). this is "merely" (bad enough I suppose) a violation of the same-origin policy in javascript.
c losure/ 2003-June/010200.html
the same-origin policy dictates, that any code running, cannot modify anything, which is loaded from another domain. it may not even read from variables.
more here:
http://lists.netsys.com/pipermail/full-dis
Am I the only one that just read the bug and had trouble taking this guy seriously?
Basically, JavaScript is used to trick the browser into loading an unsandboxed Java applet.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability
In other news...if you knock your house down it won't get robbed.
Nice try but your "logic" (lol) fails the obvious test.
IIS has smaller marketshare than Apache Web Server, yet MANY more IIS vulnerabilities have been discovered and MS took a LOT longer to fix/patch IIS than Apache.
It's pretty clear that IE's problems are slowly but surely being squashed. When you have a user base as large as IE's, it is inevitable that these problems will be found quickly and exploited and then fixed. We can take this as an indication that the larger the user base of a software product, the faster bugs will be found and eliminated.
..Not to mention it flies entirely in the face of the fact that IE has the most piss-poor standards support of any modern browser. (CSS in particular).
It's pretty clear, judging by this and some of your former posts, that you work for Microsoft or at least enjoy spreading their nonsense FUD. Your assumptive argument--that a smaller user base means that OSS has more undiscovered bugs--is entirely illogical.
Now take Mozilla and Opera as opposing examples. The user base for these two browsers combined is infinitesimal compared to IE. It thus stands to reason that all of the bugs and vulnerabilities of these browsers lay dormant, waiting for someone to come along and exploit them. But without a serious user base hammering away at the product all of these problems lie wide open for any hacker to come along and abuse.
There you go again. You seem to miss the point entirely that having code open for review allows "hackers" to find security holes much faster and easier. So if a problem exists, it gets fixed much sooner than a closed source program which requires a lot more prodding and guesswork to discover the vulnerabilities. And yet IE still has historically had far more security issues than Mozilla.
Just because you don't use Microsoft products doesn't mean that you aren't vulnerable. You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers.
Yet another patently untrue statement. Microsoft products have a far worse history of vulnerabilities than Open Source alternatives. Again your comment about "lack of users" is irrelevant. And your statement that OSS developers lack accountability is entirely baseless.
The M$ dominated world is quickly coming to an end and there's absolutely nothing you can do about it. For your own sake, wake up before you become entirely obsolete.
Between the awful writing in the article, the broken examples, the Java/Javascript confusion, and the contrarian IE-is-safe-but-mozilla-isn't thing; this may very well be the worst slashdot story ever.
Username taken, please choose another one.
1) Isn't one vulnerability one too many?
2) Internet Explorer, for when you absolutely must not be affected by the 1 vulnerability found in Opera and Mozilla.
3) If you divide the number of bugs found in IE (30) by its userbase (98%) you'll find our product is only 30% defective whereis if you divide their number of bugs (1) against their userbase (2%) you'll find a product that is 50% defective. We all know that the number of bugs varies with the number of users, not the code quality. Right...... right?
Click here or a puppy gets stomped!
the problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability.
"Holy security through obfuscation batman!". JavaScript has NOTHING to do with the Java(tm) programming language, let alone the 'security model'. I'd have expected better from slashdot editors...
All your base are belong to us!
"They" didn't remove anything"
The View Menu did the trick. However, "They" did remove it: it was always on in previous versions, and it was only after recent updates on my machine that I found it was gone. I have found it missing on all other MSIE installations, and others I have talked to have mentioned this unwanted change as well.
Don't blame Durga. I voted for Centauri.
The M$ dominated world is quickly coming to an end and there's absolutely nothing you can do about it. For your own sake, wake up before you become entirely obsolete.
Duh-duh-duh...
Looks like someone forgot to get his daily allotment of bran this morning...
I can just hear the voice of Orson Welles as I read this warning me of the impending doom...or maybe one of those bible-belt you're-all-going-to-hell-faith-healers...
hehehe...
"Helping to keep you two steps ahead of the Thought Police!"
Gee, if I turn off my computer completely, I am 100% immune to all the viruses that ever existed, plus all future viruses.
"Java/Script"! Catch/it! It's/hot!
This message seems very strange.
Take, for example, the commentary:
There are many, many more issues than I have discussed. The minimal release is for giving the blackhats time to play.
Furthermore, the language used is like nothing I have ever seen before.
The poster states that this is a Java problem, but then states that any browser with Javascript is vulnerable to remote command execution. He/she then goes on to give an exploit which has nothing to do with either Java or remote command execution.
The first exploit doesn't seem like much of an exploit either. Instead, it seems to that the script opens a popup, and then at some later time, changes its content. What is wrong with that?
As for the other exploits, they don't seem to have anything to do with the first exploit. They seem to be old Java exploits.
At the end, the poster recommends everyone turn off Java. But at the beginning, the poster said that everything with Javascript enabled is vulnerable, and the first exploit has nothing to do with Java.
Overall, I think it is easy to see that this poster was a troll. The general statements that are made, the lack of any specific information, and the mixing of unrelated exploits seem to make this quite obvious.
That's the spirit. Don't let words like "cross platform" and "Microsoft" (although they probably meant "windows") get in the way of a good troll.
Konqueror...
Mozilla fonts suck and I don't like that AOL has a finger or two in the pie.
Opera for M$ is nice but sucks on Linux..
No probs here.....
Talking about how Mozilla and Opera show the advantages of open source software kind of blows up in your face since Opera is closed source.
Oh I wish I hadn't just used my last mod point...
Quality, openness and accountability aside, I would suggest that bugs or vulnerabilities in Internet Explorer would be exploited quicker and more often because of the large user base and more importantly because of self-enflating (and militant) attitudes like the above poster. Simply put, it's more bang for your buck attacking IE, and less morally troubling if IE users are in line for a Darwinian end. (The Dodo deserved to become extinct because it was stupid afterall.)
Then there's the demographic differences between users of Internet Explorer and various open source browsers; these affect how often vulnerabilities are discovered and how quickly they are fixed. I would doubt very much that the average user of IE would look at the source code of his browser if he had access to it, just a little bit less likely than the average user of Mozilla doing the same.
Slashdot, you're like a second home to me, but please don't post stories like this any more. It's embarrasing. Try to look at the article, read it and evaluate it for validity before posting it.
;)
For the record, the Java vulnerabilities the decidedly juvenile post is talking about is the bohttpd java vulnerability that existed in netscape 4.7 browsers up to 4.76 I think it was, where the exploit enabled the jvm to turn into a http server for the whole filesystem. This was around 1999 to 2000 I think.
However, this post has nothing whatsoever to do with java. It reads far more as if some teenager has just discovered that one can do some funky stuff with javascript, such as function callbacks, crossframe clowning around and a bit of childish mischief such as opening a miniwindow with a script to track the users movements, as a lot of pornon sites do.
Congratulations, kid, next thing you know, they'll be calling you Mitnik
One of the linked pages provides a list of several vulnerabilities, one of which was announced recently.
If slashdot is going to post stories for subscribers well in advance, can it put some of its filthy lucre toward hustling some subscriptions from computer professionals of long experience, people literate in the English language, and other hard-to-find folks to fact-check BEFORE yet another elementary blunder makes the front page?
Nothing worth doing is worth doing today.
Re-read the top of the Slashdot discussion page, or see here: see here
If you know anything about java script you can see that the sample given isn't a security exploit. All it does is load up that security site's page in a popup window while counting down a timeout before redirecting to the page outputted from the javascipt. (That "werd" page). Read the article! Its bogus.
Reminds me of a the familiar anecdote: How do you keep your network completely secure? Unplug it.
This is my digital signature. 10011011001
I know Java,
and I know JavaScript,
but what the heck is Java/Script?
Can't people check before posting an article?
Last time I checked, Java and JavaScript were completely different.
You know that, and I know that, but the sorts of people on which one-liners tend to work will either conveniently forget or actually not know that.
The coolest voice ever.
1) *nix folks that aren't running the browser as root are safe from this issue, right? Assuming so, once again, *nix (and recent Wins) have demonstrated the necessary damage control of user-level code control.
2) If full-disclosure becomes frowned upon in the industry, wouldn't this be VERY BAD for non-proprietary systems? Specifically - If MSFT and Security-focus (et al.) don't disclose bugs like these, wouldn't it be an extremely powerful tool for both political and technical sabotage? I mean, what could be better for MSFT's new "trustworthly initiative" than selective disclosure? They would obviously want to distance themselves as much as possible from a security issue, and would undoubtedly (based on their PROVEN record of monopolistic activities) point the finger AWAY from their software - considering that they're a majority factor in the potentially forthcoming security disclosure realm?
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
The problem is somewhere with the Java/Javascript interface. But I wouldn't worry. It'll be fixed soon.
What is interesting is that Javascript/Java works a little different on IE (which is expected), Safari (sorta expected), and Konqueror (not expected).
I'm not knowledgeable on versions of Javascript these browsers have. Anybody want to fill in the details?
Well, there's spam egg sausage and spam, that's not got much spam in it.
I better go get a patch for my Unices system.
- Sherman
Hmmm... I just clean installed Mozilla 1.3.1 on WinXP Pro, and the bug still works.
Did I miss any?
Yes, you did. In fact, on any Microsoft bug, there are over 700 posts, with approximately 300 modded up with "Informative" saying "XXX browser/os is not vulnerable to this".
So basically I'm waiting for all those posters who post this, as well as all the user moderators to step down from their high-and-mighty position and accept there is positives and negatives to everything, and stop pushing their beliefs on others like some door-to-door Jehovah's witness.
Linux is about a choice, let people choose.
But maybe I'm in the wrong community for that...
When modding "Informative", please make sure it both has a source and IS actually informative.
Thanks! Anoter link I can direct idiots.. er.. friends to when they're saying Java and they really mean JavaScript :-)
I guess it was some scriptkiddie looking for five years for a bug in the javascript implementation, so he can tell his l33t friends how evil javascript is and everybody should disable it RIGHT NOW* and how l33t html 1.0 is and why everybody should use animated gifs instead of the hr tag. this must be the most exciting day for him... finally he can post something to bugtraq and get r33l l33t and even make it to the slashdot frontpage. His exquisite choice of various l33t wordZ speaks for his skillz. * (Note that he actually suggest to switch off Java)
lack of accountability of the OSS project developers.
1) Many OSS developers are employed by companies (AOL/Time, RedHat, IBM, etc.) that they must be accountable to, and 2) Unlike proprietary products, when an OSS app does something wrong, people point and go "This is the schmuck that did it." There is a lot of accountability when everyone can see what you code.
And a larger codebase doesn't help much when the vast majority of that codebase does the same exact thing online. You tell me how many old ladies checking their MSN mail and ordering E-greeting cards it would take to find this vulnerability.
I'm not saying everyone using IE is dumb, or that everyone using Linux is smart. What I am saying is that thousands of users just like me wouldn't have made this problem any more visible. I would never have stumbled upon this. Moreover, I can guarantee you that many more Linux/Mozilla users are tech-savvy and fill out their bug reports compared to Windows users. Besides, it "stands to reason" that Mozilla could fix bugs faster. IE users trust a small few people to their security; if they don't fix it no one will. In the OSS world, it only takes a couple frustrated coders tired of a vulnerability to have it fixed.
We're a community, Windows users are consumers.
Ironically enough, IE is unaffected.
Wouldn't "IE is unaffected" had sufficed?
I can't see any irony here.
Bot Assisted Blogging
I went to the address the kiddie provided for his "live mild example" and it managed to . . . throw an error in the JavaScript console. Wow. Real impressive 'sploit there, kid. What's next? Cross-Platform Annoying Alert Window?
He's caught a lot of fish and is about to apply some perfume?
Hmmm.
Talking about how Mozilla and Opera show the advantages of open source software kind of blows up in your face since Opera is closed source.
Yeah, but Opera does show that even a closed-source business model does not have to be unresponsive to user feedback (not mentioning any Microsofts - ah feck) or take years to make changes. Okay, they may take a bit of hammering to understand what users want prioritised but Opera Software do implement standards support and user suggestions on a par with OSS.
Think huge monolithic corporation vs. small zippy company.
"What can I say? I'm the queen of java."
subduction.net
Dr. Spock does the baby book dude
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The problem is having a Turing-complete language that is sent to and runs on the client. We need acceptance of protocols that work well without needing TC downloadable scripting or applets.
Being TC opens up hacking risks considerably over non-TC protocols.
I have not seen much research on non-TC protocols. I have a pet GUI form protocol called SCGUI that is meant to work effectively non-TC, but there is not much for HTML-based action right now.
Table-ized A.I.
"New bugs were discovered in Netscape's implementation of Java has been
found which allows a remote site to read any file on the client machine
and to set up a Java server which anyone can connect to. Brown Orifice
HTTPD starts a Java server which allows others to read files on your
machine."
Ya bunch o' n00bs.
Repeat after me.
"I will read articles fully before replying and allowing Dolemite to make you look like rank amateurs."
Hahahahahaha
Kisses
Dolemite
________________________
Save the World! Use a Quote!
Hail! I am the great and most large in the PR Gates! For too long me and my worshippers have suffered from reports of "bugs" from you non-believers. While it is true that the majority of my worshippers ignore your attacks, I have not. SO hear me, this is a sign of things to come. If you...you.../.ers continue to attack my numerous features by labeling them bugs, I will so attack each of YOU directly. For example, I hear this Taco fellow comes up short in where it matters. You see! DO you now see the power that you contend with. You have been warned.
[Just Shut Up and Do What I say]
You can kill all sorts of nasty JavaScript, popups etc and lots of other crapware by running a small program called Proxomitron if you use Windows. It serves as a proxy for your browser and modifies pages before they ever get read by your browser.
.net (minus space) has a great set of filters that will stop anything!
I won't link directly for fear of the Slashdot Effect but you can go to proxo mitron.org (minus the space) if you are interested. jd5000
Highly recommended.
Quizo
Visceral Psyche Films
But who says those coders know what they're doing or if they do it in the most efficient manner because they might not see the bigger picture?
Keep in mind, too, that the OSS world is not limited to linux. I'm part of a very large Windows development community that not only uses IE (we also use Mozilla at times), but contains IE as a UI component, the same that Mozilla can *finally* do.
So, not all Windows users are consumers. This is a blatently stupid comment from a one-track-minded person. Some linux users are consumers to, albeit not as many because most consumers can't use it!
There are standards and then there are "de-facto" standards. An Internet standard is an open, well-documented set of criteria that coders can code
...wait there is no 3. :)
against create a standards compliant app. The reason for this is to ensure that any application that is compliant with the standard will give the same result as any other application coded to the same standard.
A "de-facto" standard is an implementation ( way of doing something ) that has become to be an expected feature of an application in a particular
market only because it is popular. The problem with this is that not everyone may implement it in the exact same way, cause unpredictable results, and in the end making the application user's experience "worse."
Anyhow, I stopped using Internet Exploder a year or so ago because Mozilla's way outclassed it as far as feature sets go ( popup blocker, tabbed browser interface, cookie management, and more ) that weren't standards at the time, but other browsers have caught on this is something we want more than features such as "mouse gestures"( which seems to be a dead idea at the moment ).
Hopefully that clears things up for you as far as standards go. As far as your other comments ( linux is irrelevant, XServer sucks, etc. First, you aren't talking about Linux as it includes only the kernel. Second, I can tell you really haven't used XServer as mine runs for months at time and actually has only stopped running if 1) I lost power. 2) I manually shut it down. 3)
I can't afford a sig!
Now some Netscape or Mozilla user needs to tell me an exploit horror story that could have been avoided if they had used IE! We need the comic relief, don't we? Or is this, perhaps, a wakeup call?
"if you turn off JavaScript, you turn off the vulnerability."
Hell, I guarantte 100% security if you unplug all cables from the computer, including the power after wiping the HD's clean, seven times in a room with overlapping patterns.
There is a slight useability use with this method.