Slashdot Mirror
IE Vulnerable to Cross-Browser Spyware Attack
An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
IF you're running Java and you click 'Yes' to the security warning...
VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
Oh, well, it's no problem then. It's not like anybody uses THAT...
It will be interesting to see if there is the usual 24 hour turnaround on a fix for this from the Mozilla Foundation. Lord knows Microsoft probably won't lift a finger to fix it.
FoundNews.com - get paid to blog.,
"IE vulnerable to new attack" - shouldn't we find some sort of shorthand for this, since it happens so often?
I have to imagine Slashdot's bandwidth saving would be enormous.
"So on one hand, honey is an amazingly sophisticated and efficient food source. On the other hand it's bee backwash."
Internet Explorer... vulnerable?
Yeah, I'll get right on that Timothy. Removing IE is so easy on Windows.... Not like it's built into the OS or anything.
This guy is way out there
The spyware installs itself using Java. It's not browser-specific; you can infect IE using Mozilla, Opera, IE, etc.
There _is_ a dialog box, since the applet is unsigned. I tried signing it with my certificate; it installed itself without prompting. I believe it uses some sort of JRE exploit.
switching away from IE does not give adequate projection
What do I need to be able to project my fears of infection adequately?
The article title/summary focuses more on how IE is to blame rather than the real root of the problem, which appears to be Java. I realize this is Slashdot and its Microsoft, but come on.
If you leave the house you will get sick. The is holes in everything. The added value of open source is the ability to patch the system quickly. If Linux had 70% of the desktop market share you would see more viruses for it. But they hole they exploit would be fixed quicker. The question really becomes getting ppl to update thier machines. That really is more fo the problem. Im sure there are plenty of unpatched systems out there spreading nimda.
"All I can tell the "lesser of two evils" folks is that if they keep voting for evil, they'll keep getting evil."-Lp.org
...it's that spyware authors have a GREAT sense of humor!
If someone says he and his monkey have nothing to hide, they almost certainly do.
Someone is getting kickbacks from Microsoft!
Wait, "Only using Sun's Java Desktop?" WTF!? Who would have this problem? Like 3 people right?
I just like this quote: does not give adequate projection ummmm.. what?
If I wrote something witty, you would say I stole it from somewhere.
It's important to identify that if this is not a browser thing, but a Sun JRE thing, any Java-enabled program that can come in contact with the installer applet could potentially infect your system.
Green's Law of Debate: Anything is possible if you don't know what you're talking about.
Isn't this a Java problem more than it is a browser problem, as it seems the installer escapes Java's sandbox and alters external files?
However, I remain convinced that one or two unpatched holes in FF is still safer than surfing in IE.
Fortunately the responsibility for a patch rests with Sun Microsystems as much as Mozilla Foundation so there'll be one pretty soon.
A firewall ought to give additional protection in the meantime - normally I add a rule to my PCs to prevent IE from accessing the web under any circumstances and would encourage others to do likewise from now on, I guess.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
IE can already be infected by plugins and downloads from other browsers. My sister (whom I have confined to Firefox) likes to play those goddamn Neopets games, which require Shockwave. After installing it, the Yahoo! toolbar had managed to place itself into IE somehow, even when IE hadn't been used for months.
Guy asked me for a quarter for a cup of coffee. So I bit him.
from the if-you-must-run-windows-remove-ie dept.
f ault.aspx
Really? The microsoft website oftens blocks browsers other than IE from downloading updates and whatnot.
You CAN'T just remove IE. You need it. Just try to update office on firefox for example:
http://office.microsoft.com/en-us/officeupdate/de
1. You can't win
2. You can't break even
3. You can't get out of the game
4. No matter how hard you shake it, the last drop always rolls down your pant leg.
I'm not wrong. You haven't thought about it hard enough.
Somebody obviously only read the headline rather than the article then...
And people still ask me why I only use OS X and Linux. Silly end-users.
Mark A. McBride -- OmniNerd.com
and Firefox user, I would like to add my two cents:
"Lies! All Lies! Firefox cannot be hacked! Lies!".
Thank you for your support.
Sig it.
That's the point isn't it, though. Crappy software is installed.. spyware comes as an infection. When will we acknowledge that these spyware writers are writing viruses which infect and damage people's systems through backdoor hacking techniques?
Why are the authors not prosecuted?
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
So by using a browser that this exploit is not aimed at will infect part of the operating system your trying to get away from because everything is so integrated with no end user control.
How is this bad for firefox? If anything its a big black eye for MS and integrating IE into the OS.
By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer.... VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
So, the attack happens through Sun's JVM, affects IE, and consequently has nothing to do with Firefox, which was inserted into the article for maximum troll capability.
Spybot reported that the website I am viewing (slashdot.org) is trying to download "DoubleClick" which is known spyware, and would I like to block this download. Yes, I would. Thanks, Spybot.
For those of you who bailed on Psych 101, Freudian Projection is, according to the Diagnostic and Statistical Manual of Mental Disorders, a defense mechanism in which "the individual deals with emotional conflict or internal or external stressors by falsely attributing to another his or her own unacceptable feelings, impulses or thoughts."
If an exploit asks you to run it, does it still count as a security exploit? It's not taking advantage of anything other than the users own stupidity/ignorance if they get infected by it. Similar to those email viruses you have to oepn the atached zip, enter the password and then run the exe to get infected by.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Well, at least Firefox isn't getting rubbed out. Nor Opera or Netscape. IE is still the problem here. If it weren't for Mr. Gates and his Swiss-cheese programs, I'm sure that IE would be fine when you're not even using the damned thing.
As the summary and the articles say, this isn't a browser issue, it is a Java issue, the applet exploits a hole in the JRE and attacks IE, any browser with Java support will be vulnerable. More interesting though... has anybody tried this on Linux? I would, but I'm not currently at home.
Game! - Where the stick is mightier than the sword!
To me this sounds like a Java exploit and not something you can pin on either IE, Firefox or any other browser. It would be pretty lame to demand that Firefox should protect IE from a Java exploit, yes?
HTTP/1.1 400
I know there's been a fair share of MS-bashing already but I just can't resist... It's pretty funny that IE is so insecure that its security holes exist in other programs :)
According to the article, there's a permission box that pops up, and you have to click "Yes" before it can continue and install potentially harmful stuff on your computer. Of course harmful things can get on your computer if you give them permission.
.exe file to your desktop, and then double-click it to run it.
What a misleading article synopsis. This is akin to saying Firefox is vulnerable because it's possible to right-click a "Download File" link and save a harmful
There are 2 kinds of people in this world. Those that can keep their train of thought,
No way, RTFA.
Firefox warns the hell out of you about allowing a signed, but unverifiable applet from installing itself. Look at the screenshot, there's three separate big warning images.
If the web browser lets you download and install software, even if it warns you that doing so might be dangerous, the author contends this is a bug. That's silly. That's the *point* of a web browser. To download content from the internet.
When I tried to open the page he shows as the source of infection, my TrendMicro Antivirus Software automaticaly detected it and trashed it.
What scares me most, is that FF didn't ask to download the file, it just downloaded the JAR into the cache folder.
mazevedo
So what does it really do? Pop up more pr0n banners? I love this automated feature, actually.
Just a quick thought. It sounds more like Sun's JRE is at fault, but perhaps it's of some importance to note that neither JRE nor Firefox exploit your computer directly. No, that burdon falls upon IE and that wonderful ActiveX thingy to really trash your system...
Translation: There's nothing wrong with Firefox. There is a severe bug in Sun's JRE, which is about the 3rd java vulnerability in a row that's alarmed me. I'm starting to think that running Java is just like running any other untrusted remotely loaded executable.
While you are correct that more would be found if unix type sytems took the market away from Windows, the effects woudl not be the same.
Due to the way that unix works, most of the 'holes' that are found would only effect userspace, so its effects would not be as broad.
---- Booth was a patriot ----
It's true, I read it on the interweb.
Open Source Browsers Damage Businesses
Alternatively, there's the more generic ESF - (E)xploitable (S)ecurity (F)arce. This is the exact inverse of ESP, in that it is something that should have been predicted but wasn't, rather than the other way round.
For bugs from the (usual) Corporate culprits - Microsoft, Sun and IBM, I suggest that these be called ISMs.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you are stupid enough to click yes anyway, IE gets owned. I really fail to see how this is Firefox's problem.
IE Vulnerable to Cross-Application Spyware Attack
Some website reports that KEYGEN.EXE can be used to infect IE on Windows. By running a malicious KEYGEN with Windows, a user can infect their install of Internet Explorer. Other alternative cracks may expose the same vulnerability. The article quotes the CTO of Obvious, Inc. as saying that '[j]ust switching away from IE does not give adequate projection. Now that BitTorrent and other alternative file-sharing tools have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any feeble mind.'" Killmenow's report points out that this vulnerability can (only) affect Windows users who are morons.
Obviously you aren't living in Holland or Germany.
I know IE gets a (deservedly) bad rap, but it's really not that hard to use safely. I've been using IE exclusively for a long time and the only time I've ever been infected with anything is either when I clicked Yes/Ok on some ActiveX dialog box or manually run an unknown executable (dumb). However, Joe User isn't as protective as I am and he is fucked. All I'm saying is that it is possible to run IE relatively safely if you take a lot of precautions. These same Joe Users will probably click Yes/Ok to everything under the sun and get infected in Mozilla/Firefox/whatever when real nasty spyware starts showing up.
Ha ha, very funny to post the same thing again as AC. See? I can do it too
"Monday".
RTFA
capable of working on a range of browsers with native Java support. "The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there, including Firefox, Mozilla, Netscape and others. In the original test, only Opera and Netcaptor didn't fall for the install but Daniel Veditz, who is the head of Mozilla security, has since confirmed to me that this will also work in Opera and Netcaptor," he explained.
Sounds to me like Internet Explorer is only tangentially related.
You want make sure you surt clean...
1) Go to the Command Prompt and type: Format C:
If that fails unplug the infected machine and through out nearest window.
2) Smash your head with hammer or on desk until dead.
3) Wake up in a wonderfull land with out spyware or spam.
Vital security guy says that this is "CAUSED BY JAVA". Well, as a matter of FACT, not opinion, he is wrong.
Runtime.exec() does exactly what it says on the tin. Full stop.
You allways basically get the choice - not have a feature or try to protect it. Not having a feature is hardly an option. Asking the user what they want to do is the best option available.
So, if you have no protection (e.g. spybot, or your ISP could have scanning proxy/ICAP) AND you are stupid enough to click something you are bound to become a victim.
The same goes to your sensationalism about Symbian viruses. You are happy to publish unsound rumours but never dig deep enough to see that all that fuss is for nothing. The only exploited thing is users stupidity, and not any flaws in the code.
Does this work on other platforms, such as Linux and Mac OS X? I mean the code running procedure, not infecting IE. I know I have seen, while using Safari, a java dialog asking me whether to run a untrusted program or not...
Sig Nature
Well, I would, see, but I kind of need Microsoft to release IE for Linux first...
YAIEE!
Yet Another IE Exploit!
It's not enough to remove I.E. and whatever else program you are using from Microsoft.
Whatever MS-stuff is left will be enough to get you infected.
The ONLY solution is to change operating system.
I suggest Linux.
Had to be said.
I don't know the meaning of the word 'don't' - J
Shouldn't it read, "Alternative Browsers Vulnerable To Cross-Browser Spyware Attack?"
Firefox's Plugin implementation has a bug which allows any third party plugin (such as Sun's JVM) to have control over the local filesystem.
This is infecting the machine using a signed applet. Hello? I can do anything I want to your pc if you allow a signed applet to run. This not news. I can install a trojan, key logger, back door, whatever. Infecting IE is the least of someones problems if they allow signed applets from untrusted sources to run.
There are two types of Java applets: signed and unsigned. Unsigned applets run in a sandbox inside your Web browser. A Java exploit would be an unsigned applet that could "get out" and do something malicious. This doesn't seem to be an unsigned applet.
Signed applets don't run inside a sandbox. A signed applet can do anything that any other executable program can do; including formatting your disk or installing spyware. They are not any safer than programs written in C or assembly language.
--Steve
I included in mine a link (off the VitalSecurity page, but still ...) to a discussion thread that indicates Opera was not vulnerable. I wasn't able to get the warning (nor the attempt to install) using either the release nor beta versions of Opera for Windows.
As well, I was able to prevent infection attempts in FireFox by blocking connections to *.ysbweb.com. [your search bar]. (The Proxomitron is your friend.)
The company that signed the applet is "Integrated Search Technologies", which is apparently targetted by several anti-spyware programs.
For the patch from Microsoft to disable all Internet capabilities of Explorer...Please, please, please!!
BUG REPORT:
When I visit a web page and it prompts me to install something, a little hobgoblin pops out of my computer and whacks me on the head with a mallet when I click yes.
After this happens, my computer slows down and I get lots of popups. I think the hobgoblin has infected me with a virus. Please disable the hobgoblin so I can install things from websites easier. And stop it from infecting me with viruses! Can't you guys program a computer right?
it doesn't ask permission to install anything, just run a script(admitedly one that is compiled into bytecode).
any fool who knows how to develop java can make their game hinge on having the user click yes on that box.
this is one of two things I saw coming on firefox. java is java is java is crap.(-1 troll)
the next thing I see coming on soon is a serious exploit using the medium popularity extensions, the ones not maintained by a security concious dev team.
for safe browsing, use any browser that has all scripting and active components disabled.
most popular browsers have settings for this.
Ironic that Java, famous for its sandbox, seems to be the door through which this intruder enters.
I keep wondering if it wouldn't be better to have something like VMWare a standard part of a consumer OS. You would intantiate a VMWare-type virtual machine, preloaded with your Web browser, email client, etc., for all external communications. You would leave your "real machine" with no Net connection, but use it for other tasks that didn't need a live Net connection. Attacks from the outside would have no way to damage anything other than a virtual machine. If it got screwed up or infected, even by your kids playing with it and saying "Yes" to download offers, you'd just delete it and instantiate a new one.
You'd be able to reach from the real machine into one of the VMs and retrieve a file that you were satisfied was safe, but there would be no way for a VM to export (VMWare is like this). There would be occasions when fetching an infected file would infect your real machine, but the overall incidence of external damage should be significantly reduced by this approach and recovery from screwups would be quick and easy (at a cost of performance for activities done from a VM).
It's just a thought, but it seems as though this would just be an extension of the Unix notion of having root power but doing most of your work from a non-root account just to be safe.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
As other people have noted, you still have to say "yes, bone me". But people don't expect a Java applet (since it's normally firewalled) to be dangerous, so they're more likely to say "yes".
If allowing an unrestricted Java applet to run is just as dangerous as installing and running an application, then the dialog box should reflect that. If Firefox is going to make you manually approve sites that you're going to allow XPI installs from, and *then* run a countdown in the warning dialog, they need to be at least as thorough about any other operation that takes you outside the sandbox.
...I'm not worried. It's not like Dubya is gonna force me to click yes to an unsigned, untrusted source. Please Mod to 0 to preserve the reign of 0's.
-- Liberalism is a mental disorder.
Moot point. If you are a Firefox user, you most likely don't give a rat's ass what happens to IE anyways.
I'm confused why this is considered an IE vulnerability? And I am even more confused as to why people pin this on Java.
If a user downloads an untrusted applet and grants it unrestricted security access, EVERY SINGLE THING ON YOUR COMPUTER IS VULNERABLE. Just because this particular exploit attacks IE, doens't mean that the exact same applet couldn't be altered to infect Firefox of even something completely different like Adobe Photoshop.
http://brandonbloom.name
No this is not really a Java issue either. This is a social engineering issue.
The JRE pops up it's "Warning" dialog, like its supposed to . It displays to the user that it cannot verify who signed this, that the cert is out of date etc, like its supposed to . It displays a warning reccomending that you NOT say yes and install the applet, like its supposed to . So when you ignore all of that and say yes, you deserve to get infected. I mean, what do you want, another dialog asking "Are you sure?".
I mean 3 big yellow exclaimation marks? I've never seen that even in the most unstable of development environments.
Oh and BTW, if you say yes to a Java applet in this instance, it runs as a local application without a security manager. This is not a 'hole' it is what it is supposed to do. When you say yes, that's what you're saying 'yes' to.
Now if people were taught not to do that the same way their are taught not to run arbitrary files sent to them via e-mail, this wouldn't be a problem. (That's sarcasm BTW)
In the end, the problem is the goof behind the keyboard that is willing to say 'Yes' to run applications they don't know about and that the JRE itself warns them at least 3 times in 3 ways not to run.
How do you defend against that?
Never by hatred has hatred been appeased, only by kindness - the Buddha
You missed the part where IE opened on its own. Unless you have REMOVED IE from your system (good luck) or never had it in the first place (ya, ya, Mac and Linux and BSD are great) then you care about this.
My knowledge of computer science is limited to a single C++ programming course that I took in college, so I'm well aware that I don't understand the mysterious intricacies of how the internet and web browsers work.
The being said, I'm puzzled as to why it's so difficult to design a secure browser. You type in a URL - the browser goes there and gets a web page - and then it displays it. Where do all these security vulnerabilities come from? I mean, can't browsers be coded to only read and write files from the cache, so as to prevent web pages from installing crap on people's computers? How is all this even possible?
Installer
This isn't an exploit of any sort, everything is work as it was designed to. Plus, as others have pointed out, if it had been signed by a trusted certificate, you wouldn't even get the window to ok it on.
This is why all browsers need to have Active-X, Java, and other automatic component installing/running disabled by default. Plus, I'd like it if FF could add a feature to enable to then on a per site basis be able to trust them.
Also, site designers then need to make sure their site is usable if their nice advanced code is disabled. I've walked away from many sites where I couldn't even pull up a basic home page because I have shockwave disabled.
I'd *LOVE* to have some links if anybody has them (!)
... but NOOO, he's "old school" (his words) and got her a Dell. I'd love to email him on that box. Probably needless as I hear their current "tech" (his kid who is a college dropout clueless dope-head) isn't exactly "on the ball" and the system is dog slow now [infected].
If not -- I'll find them. Eventually... and so will they.
I've got some X-client(s) who INSIST on using IE (anyway) -- and regardless I've told to go fsck themselves anyway. Injecting links to their email address' would be, well, um, trivial.
One client in particular -- INSISTED on getting his assistant a Dell (XP -- fully unpatched non-the-less to this day). This is about the time I told him I didn't want his work anymore. Why? She has a G5 at home and is very happy/comfortable with OS X. With other needs/wants given the single Unix box onsite I could make a LOT of things happen
Links people, we need good working LINKS.
Seems to me that more people should learn to use alt-F4 (or ctl-F4 if you're using Firefox tabs) :-P
. *wheeze*
This is like giving your wallet to a beggar so he'll stop bugging you on the street. I find it very...hard....to....feeel....*gasp*...sympathy..
picpix image polls. create - share - vote. fun!
While I'll agree that no browser may be perfect or imune to all problems, others like Firefox have a far better track record. More importantly, there is very good reasons that these attacks are sneaking in through Firefox and yet attacking IE rater than Firefox. One is that IE still has major problems that can be exploited this way, while Firefox may not. The other and very important issue is that the hackers know that IE will be there. Microsoft still insists that it is an integral part of the OS. Unfortunately, this means that a company that doesn't even want it's employees to have a browser can not easily completely remove IE from Windows, and so all of the vulnerabilities that IE brings with it are forced on it's users by Microsoft, even for users would would much rather remove it completely.
I'm an American. I love this country and the freedoms that we used to have.
Me too!
I see it as a problem with accepting an unknown application to run on your desktop. Java is enabled by default, however that is only for regular Java applets, that follow the normal rules of security (can't open sockets, can't do anything to the hard drive, ...). When a java applet needs to access local resources or perform tasks outside of the Java security, it requires that the user accept (known as signed applets). Many online school cources have this type of applet running to allow full applications to be run on the users desktop. After the user accepts the signed applet, then the applet becomes a regular desktop application, and has access to virtually everything. That is the whole purpose of signed applets, and is not a bug. This is a situation of someone taking advantage of ignorance. Just like when you download a regular application from the web, you should only accept signed Java applets if you are sure who is sending you the applet. Do not click "Yes" in the warning window, if you don't recognize the website trying to run the applet.
I use Netcaptor which is really just a better user interface that sits on top of IE. The biggest benefit for me is that I can turn off javaScript by going to SECURITY | Scripting Disable and can turn off ActiveX by going to SECURITY | ActiveX Disable.
... popup. How tiring.
I browse with both turned off. No popups, no popunders, no flash, slide-ins, and mostly no b.s.
If I run into a site with flash or other scripted content that I want, I will temporarily turn on the scripting, and turn it all back off when I'm done. It's very impractical to do that in IE, and I will admit to ignorance in the Opera/Mozilla/FireFox arena...
My point is that YES, IE has security issues, and as the article suggests, just using another browser is no guarantee. The real problem is client-side scripting and plugins. The internet is not the safe, friendly place it used to be. The bullies are kicking their ways out of the sandboxes.
I've been a Don Quixote on this issue for a long time. It's been my biggest pet peeve about web sites: I really hate when they force you to install some plug in or require some client-side script to view/use the site. Sure, JoeCartoon or StrongBad or Foamy the Squirrel need flash or shockwave or whatever, but when I go to my local movie theatre site to check screentimes, do they really need a big ol' flash front end with bells and whistles? no, but I go there, allow scripting so I can find out when my movie is on, forget to turn it back off, and next site I hit - Pop.. pa pa popup... pop
The Digital Sorceress
You download an application.
/', and running it.
You allow it to run.
It's your OWN DAMN FAULT, then.
Just because its a 'java' application, which only has in-browser warnings that say 'THIS APPLICATION MAY NOT BE SECURE, I HOPE YOU TRUST YOUR SOURCES', does not mean it is not an application from an untrusted source.
Are the popups that Kazaa spews because of flaws in IE? Or in Windows, for that matter?
No.
When you install spyware yourself, its a flaw with the user, not the operating system.
I'm probably the biggest MS hating, trash-talking Linux fanboi on slashdot, and even I recognize that this is not a security 'hole'.
This is java working as designed. There is no way to fix this problem.
Except to disable many of java's local privledges.
Pick: Reduced ease of use, or security.
Why is that? Because some jack-nut out there is going to press 'Yes' whenever a dialog pops up, no matter what.
"This java applet will delete your harddrive, continue?"
"Yes or No?"
There will be people that will press yes. Then they'll call up tech support or the help desk and demand immediate attention. Yes, this is an aspect of security.
Some security cannot be done in hardware/software. Some security must be done in user. That is all.
This is no different than downloading a script that does 'rm -r -f
The truth regarding this security 'problem' is so clear that many of you are unable to see it.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
These kind of articles are starting to be *very* frustrating. Maybe we should get to the point were the slashdot user base can mod down top level articles. This complete bullshit story should neven have hit the main page, or slashdot at all for that matter.
The number of uninformed people that get +5 blaming either IE, Firefox OR Java instead of the user may be an argument against this idea though.
The assumption has previously been that Java applets run in a sandbox and can't 0wn your box. Apparently there's a bug in the JVM (although I havn't seen a specific reference to details) and that assumption has been turned on its head.
Everyone is "blaming the user" about ignoring an SSL warning but even an experienced security person is likely to ignore such a warning. I don't give a shit that someone may be man in the middling or sniffing my applet download - most browsers download and run applets by default with no prompt over plain HTTP. The prompt wasn't related to Java, the prompt was related to an invalid SSL cert.
It looks like an exploit I happened to discover only about two and a half weeks ago while running Windows XP-sp2-blabla under emulation. The recconisable part is being able to get 'spyware' (in the test, just a dummy cookie) through Firefox and into IE. A few people were told this and repeated it. It should be made VERY clear that Sun Java is NOT needed (MS has every reason to FUD Sun) and its not Mozilla at fault, but the fact that IE cannot yet be 'de-installed'. The advised solution is for _someone_ to develop a full de-installer for IE. Nobody I know gives a flying f* for MS, but getting a practical de-installer out for IE is the slap-in-the-face MS has coming!
In the meantime watch out for FUD. MS will say Sun and Mozilla are bad and IE is good. You never say in business: "I told you so", but MS will. WATCH
OUT! As usual there is a spin on this that seems to favour Microsoft. Don't buy it.
There are some 'unfixable' bugs in all Windows and MS products due to the "I want to be different factor". Being able to completely remove IE (use Firefox, Opera, etc.) would go a long way in reducing the threat. Removing "Media Player" (use mplayer) would help a little more. The real truth however is that Windows is flawed by design and can never be fixed in an acceptable way.
If you are unfortunate enough to be using Windows, please look at the track record, including all the lies you've been told and make an informed decision. Get Solaris 10 if you wish, I'll stick with FreeBSD. Linux has a range of distros that range from 'true hardcore' to 'clickity-click' and even have a dual boot. Sooner or later, you are going to have to make the transition. You decide when.
Those are the JRE runtime warning boxes and have little to do with Firefox itself. Never mind, the top story is FUD.
Seriously slashdotters. . . .
At some point, the user must take some responsiblity for their own security.
System doing something unintended, without user notification or permission? Security exploit.
System doign something unitended, after user notificition and approval? Idiot exploit.
The ONLY way to stop idiots from being exploited to take the permission/aprroval step out of their hands, and give it to someone else.
Either the sys-admin, or the OS manufacturer.
The sys-admin route is already possible. We don't need anything else for that. These boxes are secure, but a giantic pain to work with, depending upon what you users needs/wants are.
The OS manufactuer route. This is the route Microsoft would love to push us all.
Dump Java. It's insecure. User our New(TM) Palladium(TM) Super-Secure Trust-In-Our-Magic-Decision-Making Signed Certificate, only MS(TM) software ActiveSecureX.
The only way to prevent (idiot) exploits such as this one, is to prevent any 'unapproved' application installs.
Ask for that, and you're asking for Trusted Computing(TM).
And I'll bet ten grand that someone will figure out how to exploit THAT, and then you'll have an pwned box that is unfixable.
This is Microsoft. Even though your users make DAMN STUPID decisions on what to install (Press Yes to Install MySpware Super-Happy Plugin!), Microsoft has proven itself to be just as, if not far more vulnerable.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Just like with drugs. Say no To anything that looks like it could possible be bad. Who cares whos fault it is aurguing over it won't stop it. Just click no and tell your friends to click no. Really easy solution to a really common problem. And if anything does happen get a spyware remover like spybot. And remember SAY NO TO BAD THINGS!
Even if not running is still a security issue.
Congratulations. This is AMAZING.
-=-=-=-=
I know life isn't fair, but why can't it ever be un-fair in MY favor!?
No the prompt was from the JRE indicating that the applet that was being downloaded was asking for special privileges, beyond that of the sand box (see the picture in the middle of the Vital Security article). 3 excalimation marks, big and yellow, telling the user that it couldn't verify the authenticity of the applet, that the cert used to sign it had expired and then warned the user specifically to NOT say yes.
The idiot said yes anyway.
Now, if this happened without those warning, then there would be an issue. But that is not the case. The JRE functioned as it was designed to - to allow for extra privileges to be granted to an applet under certain circumstances and to vigorously warn the user and present them with information before hand. It was the user that ignored the warning, not the JRE.
Note to self: never get advice from "Vital Security" about security because anyone that would ignore that kind of warning from a site they did not know is definitely NOT a security professional
Never by hatred has hatred been appeased, only by kindness - the Buddha
Now that we're seeing what happens when the same millions of clueless people run a safer browser, then the fault lies squarely on said users instead of the people who put it out.
My, how the times change.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Java applets can do all sorts of things.
It is not true that they can't 0wn your box.
In fact, whoever told you that should be shot.
Java is very powerful, and can do many, many interesting things.
If it works properly (i.e. no exploits), than a Java applet will not be able to silently 0wn your box.
It'll request permissions, and you'll have to approve it.
There are two possible circumventions.
1. Set system-wide permissions too low. By default, they come pretty restrictive. I would not suggest changing them.
2. Exploit in the JRE. Has happened before (rarely). This doesn't count.
Java is not a pure safe language. Java does not run its applets in an entirely isolated Virtual Machine.
Java, however, does not experience buffer overruns (which lead to exploits), and does not experience a variety of other security problems.
No exploits != No 0wnage.
No explots = No 0wnage without requesting securityt permissions.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
have a look here in fact see what I mean ??
How do you defend against that?
Clearly, all software should only be installable from floppy disks, and not from over the Internet. That way, script kiddies would have to send people their exploits by snail mail, with a note attached that reads:
Still, I'm sure there'd be a few who did...
Agreed
Most security professionals are paranoid freaks who would never click 'yes' on something like that, especially in a production or work environment.
I don't see any need to castrate java because users are stupid.
Perhaps Sun should make the Java default setting to silenty reject unsigned applets, as well as silently reject various requests for permission.
Then we'd have an equal outrage, the other way.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
What if Microsoft comes out with a limited edition called Microsoft Software Limited Update Tool (S.L.U.T.)?
Comment removed based on user account deletion
Some exploit. By this morons logic I just hacked browsers too http://obscurethoughts.net/hack.php Im leet now.
A nice intelligent choice with WinNT was the "Press Alt-Ctl-Delete" to login.
Since applications shouldn't be able to hijack that combination it adds additionaly security.
You can have a lot of fun with micking login boxes. Back when I was in uni we'd screw around with each others laptops. I got a terminal window on a friends machine and aliaed the su command to a perl script which would prompt for a password, send the password to my webserver, tell the user it was wrong, and then unalis the command so the next try would go to the real su.
Easy to do, but you'd have to be very on top of things to spot it.
Really, this is more an exploit of user ignorance than anything.
I stand corrected.
Fuck IE, the slag
Fuck all who sail its filth
The change winds bloweth
--
This useful, informative post was unleashed in a fit of drunken rage, using Mandrake 10.1 Community and Firefox version 'can't be arsed to look'.
It's been a long time since I worked with Java code, but I recall that once the user tells Java he "trusts" the code, (signed or unsigned), he opens himself up to a number of risks, including accessing the local filesystem and making network connections to hosts other than the host from which the applet was downloaded. This would, of course, include HTTP calls, probably using the installed default browser. I don't know about executing local programs.
So, while this may have been an exploitation of MSIE, the fact remains that it would never have occurred had the user not agreed to trust the applet. This is why it's important for developers and sites to sign their code, but more importantly, it shows the importance of embedding into end-users' brains: "Never, never, never click 'yes' when the application tells you the code is untrusted."
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
Visiting this site on IE does not bring up tbe dialog where the user can be a user (read: an idiot).. it just doesn't run.
...well, not exactly. Visit the same page in FF and, with the JRE up and running, the below happens"
"So far, so good. Using IE, nothing is getting through. And using Firefox to browse will keep me totally secure, yes?...
So, in this case, IE is more secure than FF.
I am the maverick of Slashdot
If it wasn't enough getting screwed due to its own vulnerabiliites IE can now get screwed due to other software's vulnerabilities as well!
Fucking great! IE's a screw magnet!
Nandz.
I think this would be a good time to mention Kevin Mitnick's book "The Art of Deception" which focuses "on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system."
1 237124/qid=1110834651/sr=1-2/ref=sr_1_2/103-192461 8-6149422?v=glance&s=books
http://www.amazon.com/exec/obidos/tg/detail/-/047
OTOH, if you're smart enough to not get fooled into allowing random things to install themselves, then maybe you don't care.
OTOOH, if you are a family/friend IT support person, then maybe you do care again.
I've trained most of my family and friends to not click on things if the're not sure, but they still get fooled sometimes.
So you are telling me that someone found a way to get into a system with java, and - once there, found that it was actually more effective to try to break IE than the browser actually being used? Doesn't that sort of blow the popularity vs. intrinsic insecurity argument out of the water? I mean, the user is running firefox, right? The argument of what they are likely to use (and therefore be affected by) has pretty much been resolved at that point.
This sounds like a FUD factory somewhere is trying to come up with vulnerabilities against Firefox. Interesting that the best they can come up with so far is an exploit of IE. "Hey, wait, guys, we can make this one run with another browser! Let's run with that!"
Do *we* deserve it?
Turning the exploited box into a zombie, ready to DDoS sites, send spam, and a host of other things isn't good. The opinion that 'They're dumb, so they deserve it' isn't valid in a multiuser(multicomputer) environment as the box in question can harm others, not just the luser in question.
The Giant DUH! Award goes to VitalSecurity.org, quite possibly the dumbest security company ever.
At the end of his blog, the author says that the purpose of his article is NOT to point out the social-engineering aspects of this exploit, but to point out that "most spyware installs occur when someone clicks "yes" to something they shouldn't have."
DUH!!!! What a total maroon.
Let's review. The user is presented with a dialog box that warns them, 3 times, that this thing can't be trusted, but they click 'Yes' anyway.
This is not a Firefox exploit. It is not an IE or Java exploit. It is a USER STUPIDITY exploit.
ummm, no - his .se domain indicates Sweden. Don't tell me you you were not capable of working that out for yourself.
There's a little difference with that analogy, which is that people who smoke cigarettes are physically addicted to them.
litepc.com ;D
easy as pie.
I used that program on my win98 box, and just left in traces of IE in explorer (just in case I fuck up firefox and need to redownload it)
It also decreased my boot time.
I have personally experienced it.
Great, just great. I had to switch from Window's JVM to Sun's to avoid some other exploit that was killing my box running Win98 (don't even remember what problem it was but it was a big one, I think something related to coolwwwsearch). And now I can't run Sun Java with my Firefox browser? WTF am I supposed to use for Java now? It's all well and good for ppl to say "don't use any java" but that isn't a practical solution for everyone.
So when are we going to start forming cyber squads, either as vigilante groups or legally sanctioned, to go after the asshats that are absolutely ruining the internet. I'm pretty in the know, I keep diverse passwords, I don't run as root and have a firewall, I keep patches up to date, but even I'm appalled at the amount of time I have to spend keeping my computer clean. Joe User - e.g. most of my friends' parents - have zero chance of staying uninfected online w/o someone like me updating their windows boxes constantly.
We need some groups to write backhacks on the zombie masters. If hundreds of script kiddies and russian mafia types and nigerian scammers can flood the internet with a constant stream of exploits and hacks w/o getting so much as sniffed by the law, why aren't there more whitehat hackers out there forming groups to exploit the exploiters and deal them some damage? (Not just create blacklists/watchgroups, etc - not to disparage those avenues, they are necessary and useful and I salute the folks already doing that sort of thing.) I want an internet call to arms. If we want the net to be free and useful/usable then we've got start forming some possies and running the riffraff out of town. [/Rant]
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
I guess my unpatched, unused, utterly useless or removable install of IE on my only token windows machine in the house isnt going to be useable and become corrupt. Sigh....What am I to do? =)
"God of Rock, thank you for this chance to kick ass. "
Translation: Java applet installs malware that uses IE. It wasn't clear from the writeup whether user input was required to install the malware, or if it bypassed permission in Firefox. There may be no security problem, or it maybe there's one in Java or Firefox. Doubtful this is a proble with IE.
Vote for Pedro
I thought the Java sandbox prevented files from being saved to the local drives unless you adjusted the security settings?
IE has that existence security flaw...
Isn't there a firefox extension that doesn't let the user install anything from blacklisted sites (or even better, that ONLY lets user install anything from whitelisted sites)?
Has anyone tried accessing the "attacking" site in IE?
What's the point of targetting IE through an alternative browser - I mean, using an alternative browser pretty much indicates that you've more or less ditched IE...
What I'm getting at here is: Isn't it possible that this exploit was actually aimed at IE-users and then just happened to work in other browsers through the splendour of Java?
Apart from that (like a lot of others have already said), this sounds more like a Java exploit than an "alternative browser" exploit.
"Live free or don't."
...because the following month a user's default actions will be: - notice that dialog pops up. - check that checkbox without which websites seem not to work correctly. - click OK.
Just thought I would point that out. This affects all browsers that use Sun's Java runtime. Mozilla just happens to be one of them. Also, the user must agree to run the program. I have yet to see an exploit of Mozilla where the machine is infected merely by clicking a link. There have been many of these for IE.
Correct; unsigned values can only be positive (good), but signed values can also be negative (bad). This is just an example of a negative signed Java applet.
morons
This is just a signed applet. Signed applets have been used for at least 7 years. There is absolutely nothing new about this. Running a signed applet is equivalent to downloading and running a .exe file. If you call this a security exploit then so is .exe files.
Because i am a human being, which means i do what i was going to save us from malware.
I personally believe that any os or browser is going to continue installing stuff they later wish they hadn't.
Stop your dull little tricks, please!
I was about to go off on a tirade about the editor, but I can see from the TFA that the blame clearly rests on the original authors.
Oh good grief, my head hurts from this one:
It has nothing to do with security problems in either IE, Firefox, or Java. The user is authorizing a foreign, untrusted piece of software to run. It could happen through any browser using Sun's JRE, or an ActiveX control. It could be a script, or a trojan application. Yes, the operating system allows software to do things like this. If you can't trust yourself or your users to read warnings, then use an unprivileged account to do your browsing, and lock down the registry.
Check out this follow-up:
What's the point? If the user runs malicious software, it can do anything allowed by the user's current OS permissions, including editing parts of the registry that aren't protected. Whether or not IE is the target is irrelevant.
TFA: Troll -1
Fred
"A fool and his freedom are soon parted"
-RMS
Okay, I admit to being asleep for the past few years. What happened to the "virtual sandbox" and access controls?
If the person signing the applet has their key signed by a trusted CA like Verisign you won't get a prompt. Java allows applets signed by trusted CAs like Verisign to run in full access mode without a warning or prompt. To simulate this in MSIE change your settings to allow signed ActiveX controls to automatically install.
Hehehe! Quite funny that, isn't it? Yes that means not watching american movies, listening to american songs, not drinking coke or pepsi, not wearing nike or addidas even if you study and persevere, by attaining and overcoming the challenges, you too will indeed become a world class expert in information security - with an exclusive skill and knowledge level few have reached. The sun is a gland used for filtering urine from the sun.
No you are a stupid bloody moron with no right to exist as a sentient being.
The ass is an ordered series of tests will challenge and verify your skills in each course area, with series of letters used in language.
The shockwave installer asks the user if they want to installe yahoo toolbar. Yes, it is checked by default, but it is not installed as spyware.
In response to the other responses....
Sorry for the oversight - this has nothing to do with SSL. The browser is prompting the user, stating that the authenticity of the cert can not be validated and is asking the user whether the applet should be trusted anyway. The user is not being asked whether the applet should be trusted with elevated privilege to install software. In fact, in Firefox certificate trusts and software installation trusts are two seperate configuration spaces. Even if the user read the firefox documentation, they would expect to be prompted explicitly for software installs, independantly from certificate issues. There is no mention of privilege or software installation on that dialogue.
My expectation for an applet with a bad cert trying to install software is to:
1. Prompt for trust of certificate
2. AND prompt for permission to install software
My expectation was that trusting this certificate will:
1. if defined in Firefox's Software Install config, run under configured settings for that particular domain
2. OR prompt for further privilege (to install software)
Users are also so used to ignoring certificate problems for SSL sites that the user will always ignore certificate problems for sites that they do not trust. Users do not care if confidentiality and/or integrity of communications with an untrusted site are compromised as they don't really trust the communication to begin with. Users assume (as they should) that attempts by untrusted sites to do anything which may violate security will be prompted for or denied by default.
The notice that Firefox has stopped the installation of software will be disregarded by the user as the user will believe that the installation has been blocked and can only be unblocked by right clicking on that notice. The dialogue with which the user is interacting will not be assumed to be related to the notice that installation of software was prevented.
If it is the case that trusting the applet by providing a positive response to this dialogue results in the applet running outside of a sandbox, I would argue that the dialogue is misleading and extremely dangerous. In this case the dialogue must be changed to be more clear. The dialogues presented by Firefox (or the JVM?) are completely inadequate and must be fixed. Claming that everything is working fine is rediculous if the guy only accepted the dialogue as shown in the screenshot. The user is not at fault.
Further, assuming that there was no certificate problem (eg if the attacker had a Verisign certificate), would the user have been prompted with anything? I certainly would not expect that anyone with a Verisign certificate has an ability to run applets at elevated privilege without me being prompted by my browser. If browsers/JVM will run all signed applets at an elevated privilege I would consider that a major vulnerability and a completely bone headed design. I don't think that this is the case and expect that the user would have to define the host as being allowed to install software in the Firefox configuration.
W.R.T. the security professional comment... few except for those professionals who have in depth experience with applet security would know to have expectations other than those which I described in this message. One can not be an expert in everything. I would suggest that you meant that anyone who would ignore that kind of warning from a site they did not know, on a box they care much about, is definitely NOT a security professional.
this is slashdot, obviously we have to point fingers at the M$ product!
She sells sea shells by the army of another country or by a company that is not a way of being serious.
People have a hard time banning crosses and you have a hard time banning crosses and you have some evidence to back you up on that. A computer is a sack in the head with a mallet if they do stop running as admin, they'll get used to typing in their admin (or root) username and password.
First Question - Do you want to grant this Java applet access to your harddrive?
Second Question - Are you an idiot?
Since all idiots click "Yes" on everything, the applet won't get access...
- denying it all access to the internet using your favourite personal firewall
- install Maxthon for all your IE-only needs
So once I get a signature from verisign, I can do anything I want to my users' machines? Surely that's a hole you can drive a truck through. I mean, the cert would get revoked pretty quickly once I started using it, but if I've burnt 2000 users' motherboards by then that's a serious problem.
I am trolling
Most (all?) Japanese cars have a "feature" that the door won't lock unless you're holding the handle up (open, whatever.)
I heard that this was a measure to prevent people from locking their keys in their car. The Japanese car manufacturers decided that if people have to lock the door, then hold the handle in the open position as they close the door, it will prevent them from accidentally locking their keys in the car.
Sounds nice in theory... until the day I locked the keys in my Civic. It was then that I noticed that because I couldn't lock the car door without holding up the handle, that I had gotten into the habit of *always* holding up the handle while closing the door, even when I didn't want to lock it.
I've known a lot of people who have locked their keys in their Japanese car, they told me the same thing.
So, instead of being a mechanism to prevent people from accidentally locking their keys in their car, it was instead a mechanism to train people to hold their door handle up when closing the car door.
You can't fix a behavioural problem with a technological solution.
Best. Webhost. Ever. Dreamhost.
So imagine my surprise when my virus scan from a month ago turned up a virus! And guess what the attack vector was? Sun Java.
After that little incident, I uninstalled Java on all my computers, my family's computers, and advised all my friends to do the same.
This also ties in with my professional opinion on 'alternative' browswers: there are ways of locking down IE, and of mitigating any issues. But despite claims that open source is somehow 'safer' because the source code is out there, I still have no idea what its doing to my computer. And using another browser doesnt remove IE anyway, so I STILL have to stay current IE threats.
As I proclaimed over a year ago, using an alternate browser just opens up another attack vector. It feels so good to be right all the time.
Sorry, it seems like the software install notice may be unreleated to the dialog. Perhaps it's another infection vector. Anyway, the argument that the dialogue does not suggest arbitrary code execution stands. Further, other peoples' comments suggest that Verisigned certs allow arbitrary code to run without a prompt. That's horribly lame and shameful if true.
Was hit by a spyware attack last friday.
Browsing while watching Battlestar Galactica I just wasn't paying attention when I got a dialog that I blindly took for a security certificte that was not reconized and I blindly clicked accept.
It was a java request for more access... Within moments I had new icons in my system tray.
This stunned me as I was running opera.
Took me an hour to get rid of the spyware and trojans.
Thanks BartPE, Kaspersky and System Internals!
I backtraced to figure out what happend and figured out it was java and then disabled it on my roomates computers.
It displays them all in the same dialog though. And it's horrible swing so no-one is going to read it, just looking at it for a couple of seconds is enough to make me hate it. Clicking "yes" no longer counts as affirmative user action, they're too used to being bombarded with things they don't understand to say yes to. For a start, not letting you click yes for a few seconds like firefox does might make the user pause to think. But really, it should require some action to make them think. Maybe typing out a permission notice or something.
I am trolling
That's not enough warning. The exclamation marks look big because they're being displayed alone, but on a screen they'd be quite small. They're the same exclamation marks the user sees every time they leave a SSL connection, or enter an SSL connection, or submit a form, and they have to click yes there too. So it's no surprise the users will click yes to this.
I am trolling
(ya, ya, Mac and Linux and BSD are great)
Speaking of which, is this a problem for people using a non-Windows OS that happen to have IE. Such as IE on a Mac, using the affected browsers with Java. Or is this strictly a Windows only problem.
Not that I have this situation, just curious.
No, the point of the browser is to browse, to display *pages*. No way it should be allowing remote programs to access the local filesystem. There are programs to do that if that's what you want.
I am trolling
obviously not to the actual spyware, but I dont seem to get anything else other than just the desired web page under linux (FC2 using firefox with Sun's Java). Is anyone else able to load it correctly under Linux, or actually get the applet install prompt?
When I visited http://www.lyricspy.com/ (this site listed as being the origin in the VitalSecurity story) I immediately receive a pop-up warning from McAfee 8.0 that the file "javainstaller.jar" is a Trojan, and an "exploit". The installer window never appears at all.
Additionally, Firefox automatically blocks the installation with its pop-up blocker, so it appears that, with my settings (which are not terribly restrictive), I have a double layer of security preventing me from even getting to the point of clicking "yes" to the installer.
Not too big a deal, this, but it is good to know that following basic security procedures like keeping virus definitions up to date and using the pop-up blocker correctly can make it a lot easier to avoid the kind of crap this story deals with. I do realize, however, that a great many people do not follow these guidelines, and that that is the point of the story.
But I would like to point out that it seems that I am not quite as vulnerable as this story makes it appear that I will be (when running Windows). And, of course, if I flip over to my Fedora Core 3 partition, this problem goes away entirely.
And yes, I am using the Sun Java Runtime.
B
"We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
I think error messages like these should be written so that anyone's mom could understand them. Then, it's probably a pretty safe bet that the majority of users will understand it. Well, English speakers at least.
My version, with the above in mind:
"Unknown and untrusted program attempting to run from the Inernet. Clicking OK will allow this program to run. CLICKING 'OK' IS NOT ADVISED."
(default to "no", or cancel or whatever...substitues appropriate synonyms where desired)
...and then warned the user specifically to NOT say yes. The idiot said yes anyway.
I think there's a bigger problem with users getting "trained" to click "ok" or "yes" on all sorts of dialog boxes without understanding why the dialog box appeared or what the consequences are. Like when we "techies" casually say "Oh, yeah, just click ok on that one".
Part of the reason, imho, is that dialog boxes are abused. I think software authors and especially Microsoft should try to think much harder about dialog boxes, especially when to use them and how to present them. For one, include a "if you are unsure, do X" (like the Linux kernel config menu, very good example). I think that would help users to not just "I don't want to do anything wrong, so I'll click Yes".
Web browsers should also have visually different windows for popups and similar, so that casual users could have an easier time distinguising between real dialogs and "copycat" ads.
Just my thoughts on the issue.
Can I steal a copy? I wanna pass it around my office...
Every since I uninstalled Java temporarily (ran out of room on my primary hard drive while upgrading), I only needed it once, to use some IRC chat applet. Guess what? I decided not to install it.
:)
Seems like that wasn't such a bad idea after all. Then again, I'm probably not dumb enough to click OK while on some unscrupulous site, no matter what they're asking me. But who knows? I'm usually on the computer at 2 in the morning, and I'm tired then
This is unbelievable. How could news be more misleading ? This is obviously not a "vulnerability", since Firefox, IE and Java are all behaving as expected.
That being said, this dialog for trusted applets is just as misleading for people who are not Java developers. A company paying for a certificate will have a nice dialog saying the applet is safe, giving the user that warm comforting feeling, while a poor developer will only get a scary dialog, which (believe it or not) really makes users flee. In both cases a lot of users will click without thinking, "yes" if it looks nice or "no" if it looks scary. And the result will always be the same if they click "yes".
Instead, this dialog could display a useful and educational message like "Warning - if you agree, this program will be able to read, change, delete or add any file on your account, like any other program you run outside of the web browser".
I don't want to start another conspiracy theory, but this looks like Sun is somehow related to the certificate business.
This whole mess is damaging for everybody, because users might just disable Java and thus lose the ability to run programs safely (the only alternative being to download and run).
A secure browser would be very easy to design. There is no reason why a browser has to have the ability to install anything.
However, people want more than basic functionality, they want eye candy. They want to be able to experience everything that is out there. If someone has a cool java game, they want to play it.
Secure browsers exist (some are even text-only), but you probably can't play tetris on them.
Maybe if those who used Firefox on Windows were permitted by the operating system to uninstall IE completely, this wouldn't be a problem.
Agreed!
But on a side note, I tried visiting lyricspy.com from Firefox on my Debian box (sorry about the crappy screenshot, but you know - bandwidth and stuff) and it actually only displayed 2 yellow warning signals... Furthermore it said Publisher authenticity verified by "Thawte Consulting (Pty) Ltd.".
This is definitely - most of all - a "dumb users" issue. Seriously... Firefox shows the bar at the top of the webpage display saying: To protect your computer, Firefox prevented this site (www.lyricspy.com) from installing software on your computer. If I haven't clicked on some "install" link/button, then I sure as hell won't let that site install anything - signed/verified or not.
I reckon Sun could implement some more sandboxing and dialogs, but the border between usability and security is once again challenged and we might have to face the fact that educating users is the only way out of the persistent malware problem.
"Live free or don't."
If you actually take the time to read the details of the McD's suit you'll see that the franchise in question was serving coffee at a temperature way way above what any reasonable person would consider acceptable.
A) I routinely boil up some water in the kettle, pour it into a cup, put hot chocolate mix in it, and hand it to someone. I expect a sane, mentally competent adult to realize that hot drinks may be hot at first. Somehow, for thousands of years, adults have managed to deal with the concept of hot drinks. The McDonalds incident wasn't even boiling -- it was *colder* than what I'm talking about.
B) There are a ton of people that eat at McDonalds who *didn't* find the coffee "way above what any reasonable person would consider acceptable" -- including this woman, if she'd ever had a McDonald's coffee before.
C) They had received numerous complaints about it prior to the incident
They're McDonald's. They're enormous. They have complaints about coffee being too hot, meat not being kosher, coffee being too cold, a lack of Italian buns, and so forth. It would be unusual if they had *nobody* mentioning it.
They had received numerous complaints about it prior to the incident, and the woman who was burned by the coffee received severe 2nd and 3rd degree burns.
And if you were familiar with the case and were being honest, you would have mentioned that all the *other* coffees from the *other* fast-food places caused the same burns -- it's just that McDonald's, being the hottest of the temperature range by ten degrees, did so faster.
I provide this info for other readers who may not know the details of the case but love to point to it as an example of a justified lawsuit when in fact it is completely frivolous.
I said that it "shouldn't" be possible.
Just because it wasn't well implemented doesn't make it a bad idea.
I just tried
/bin/su="echo you suck"
alias
and it hurt my feelings
you are better off using "Allow dangerous activity" "Stop dangerous activity"
or if you feel that is too long just display the message and "Allow" and "Stop"
...and MS Outlook get installed in the first place. That and stealth reinstalls encapsulated in updates and hotfixes.
The time has come, methinks, to firstly obliterate even the faintest trace of MSIE from your machine and secondly to start a FOSS project for replacing MS Update.
Allow MSIE to be installed?
( ) Yes
(o) Over my dead body
Got time? Spend some of it coding or testing
Unsigned applets are (mostly) fine, they are sandboxed.
This was a signed Applet. Now, I think the Java signed applet/wenstart box need a rethink (and have for some time), and having the "yes" button disabled for 3 seconds, and more details on what the Applet wants to do (with Runtime.exec and write permission outside the user.home being silenty rejected).
Wow, I should not post when knackered.
how about this
1 the JRE has a "rolling passcode" applet
2 when you have an applet ask for this level
you then must WITH THE DIALOG UP
run the applet and type the 16 digit alphanumeric
passcode to say yes
3 the system prevents
1 Cut and Paste
2 the user from just writting the code down
(it rolls on a ~90 minute clock)
4 a windows checkpoint is made when the applet pops up
I totally agree about the "hold door open to close and lock" thing, but there is recent technology that prevents a person from ever locking their keys in the car.
It's called remote keyless entry and it comes on your keychain. If you always use that to lock your doors, and if it is impossible to lock said doors when they are open, it is patently impossible to lock your keys in the car (unless you are also in the car with them). Actually, this same principle would have worked before remote keyless entry if people were willing to take the effort to use a key to lock their door every time... but they weren't.
When it comes to software and applications we're still pre-remote keyless entry. We haven't come up with that nearly unbreakable solution that's still very easy to use yet.
If you read what you just did, it is called a developed habit. If you can accomplish something by repeating it, then you will do it without thinking. However, if you have to do something different each time, then it can't be made in to a habit and you must read and think about it.
I believe there are two ways to make people read and/or "know not by the force of habit" what they are about to do.
The first way is to make it so that you have six options: Yes, No, OK, Cancel, Accept, Decline. Only ONE of the three positive confirmation is the true positive confirmation and you must read the notice to find which one is correct, otherwise all of them are treated as negative. And in each instance, the correct positive is randomized.
The second way lies in the design of the dialog boxes and the choice of wording with the appropriate level of danger. Also programmers should begin to program their buttons to display what will happen if an options is selected instead of "Yes" or "No".
For example:
If a dialog is warning of something minor like you are going to clear the cache, the prompt should only have OK and CANCEL.
If the dialog is a warning of something moderately important like whether you want to logoff, then the prompt should be YES and NO.
However, if the dialog box is a warning to execute an unsigned/unsafe executable it the options should display EXECUTE and DO NOT EXECUTE. Never should it be "Yes" or "No", because Yes and NO does not describe the action that is about to take place. If the buttons describes the impending action, then it would prove to be more helpful than a YES or NO.
The level of severity should be assosiated with the type of wording, so that minor things are one type: OK/CANCEL; While moderate things are: YES/NO; and very dangerous or important things should have its buttons be descriptive of the action about to take place.
While I did not do a formal study of this, as a web programmer at my workplace, I find that in cases of important confirmations of whether an entry should be deleted, putting "DELETE entry" and "RETAIN entry" is more effective in cutting down accidental deleting than "YES" and "NO" confirmation buttons.
The idea of just clicking "YES" to get rid of a dialog box is so ingrained in to some users' minds that they reflexively click "YES" even when they don't want to (or have not fully understood what they have read until too late). So the idea is to make the buttons more descriptive than just "YES/NO" or "OK/CANCEL".
So some things can be mitigated with a better technological solution. Sadly, technological solutions can only minimize stupidity, and doesn't cure it.
"IE Vulnerable..." instead of "Firefox Exploit..."
The former is hardly newsworthy. The latter is more accurate and constructive.
I'm as frustrated with MSFT as the next guy, but honestly...
Can you disable all components of ActiveX in IE in just four mouse clicks?
I know i can disable Java in Firefox in 4.
Edit > Preferences > Web Features > Enable Java (uncheck).
(Tools > Options if you're running windows)
*sung to "House Music" by Eddie Amador*
Not everyone understand social exploits.
It's a spiritual thing,
A pebcak thing,
A luser thing. A luser thing.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
So, do it yourself.
http://www.litepc.com/ieradicator.html
http://www.tweakxp.com/tweak1241.aspx
http://www.vorck.com/remove-ie.html
http://nuhi.msfn.org/
http://jdeboeck.msfnhosting.com/
There's a little M$ blood under your fingernails when you're done, but your favorite opensource apps and commercial games still run fine.
I'm sure this has been said, but I'll say it again: who's fault is this? Is it the fault of the alternate browser programmers, or is it the fault of Microsoft for so tightly coupling their user-space web-browser into their operating system?
Is it suprising that Internet Explorer is a cause of major vulnerabilities in Windows? I can only say that I get a large amount of satisfaction watching as a highly dodgy business practice comes back and bites Microsoft on the arse.
XML is like violence. If it doesn't solve the problem, use more.
I've been writing a *amp based music database for myself. To delete a record, I have to first click on 'delete' next to the record. A confirmation page then comes up asking me if I'm sure about what I'm doing. Below the confirmation message is a check box with "Yes I want to delete this record" next to it, and a submit button. The simple act of adding the checkbox makes accidentally deleting a record much harder.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
www.cisnet.com/GlennMcc Real Geeks should check it.Wind0ze l0sers should shy away, unless you can do more than click a mouse with one hand, and flick a mouse with the other.
Just lock the registry so IE doesn't start anymore.
This is awesome. Now even Windows users who switch over from IE are fucked because windowsupdate.com doesn't play well with other browsers.
- The host site advertises Firefox as a safer browser, they reluctantly try it (or something else)
- A popup appears at the same point in Alternative Browser
- Dumb IE user still clicks yes despite the increased number of warnings (involuntary spasm)
- IE gets infected by tons of crap and (here's the different, important part) immediately makes them known to the user
Those who would never get hit like this but have to clean someone else's PC would immediately recognize "Intergrated Search Technologies" as IST, but the @$$ in question would just do like they normally would. But everything that thisNow I know this revolves around tried-and-true Social Engineering tactics, but it's the ones that fall for it that IST - and any other Malware author who would rather have you run a system their crap will work on than anything else - want to keep on IE. You don't think they'd realise the dialog is just like IE's, do you? They would have thought that until the box actually did something. Remember, ActiveX dialogs don't usually slap the malware in the user's face right afterwards, so - by a victim's logic - something else must have done it.
If I'm right, this is all about scare tactics and FUD coming from Malware purveyors, instead of MS.
Talk about spewing FUD. Any update can be manually downloaded in any browser. I get along quite fine on Windows without IE. LitePC.com is the answer to getting rid of IE for good. I have never needed IE and never will.
Evetually they'll get prosecuted and punished by someone if gov won't do it.
I heard that this was a measure to prevent people from locking their keys in their car.
My BMW E30 only lets the doors lock when they're all closed. So you're either in the car, or you're outside the car using your keys to lock it. Problem solved.
Though potentially unhelpful, I feel compelled to note that I complained about this to a vendor several months ago...the difference being that what compromised my laptop was completely automated. This was on a fairly restricted FF/PR on W2K, and I have since reinstalled for various reasons. I see that a number of people have commented on the users who ignore security warnings and get shafted...but I think it's prudent to remark that I strongly believe there is (or was) at least one FF->IE cross-compromise that doesn't require user intervention. Unfortunately, I've just purged to reinstall again, and I may not be able to be more specific. I will say that the exploit that nailed me caused a FF window to flash up (despite restrictions, and despite ZoneAlarm Pro) and a deluge of unexpected drive access. Bells went off, I immediately started IE (which I rarely use), and I found a web search toolbar installed. So, heads-up, all the way down here.
You can't do it (uninstall Explorer from Windows). Have you ever tried? Want to really break your windows install, try uninstalling explorer. The problem seems to me to be that the Mozilla browser is the culprit here. Since when do we blame MS for a leaky browser that allows files to be infected on our machine, then in the next breath blame MS for being infected by a vulnerability in the Mozilla browser? That makes very little sense to me.
Speaking as a sendmail admin, I wish I had moderator points today so I could mod that up funny.
I was checking out a database report generator yesterday and the installation instructions explicitly advise one to use the "force" option on the Linux package installers. Grrrr. One of my pet peeves. People who don't understand packaging systems should not be telling their users how to use them.
How is this news? Anyone that reads this site that doesnt already know that IE is a seething shitpile of crap, within which a new hole is discovered almost daily, or that knows that and still chooses to use it out of masochism, ignorance, or an inflated sense of immortality, is unreachable, and you could post "IE now confirmed to actively destroy data on your PC, send your financial information to spammers, and forward your list of porn URL's to your SO and your church", and they'd still continue use it.
The becomes training in holding your handle up every time you close the door only if you lock the door every time you close it.
In a lot of urban environments, this is how it is done, and your example holds up pretty well.
Outside the cities, and probably in hyper-law-abiding Japan, we have the luxury of not locking our doors when we leave the car, and even (gasp!) leaving the keys in the car. Thus, we only hold that handle up when we are actually locking the car in a strange or urban environment, where we are hyper-vigilant anyway.
Small town America--it may be boring, but that ain't always a bad thing...
Fundamentalism is a crime against humanity
Yeah, this is news-worthy. An idiot can infect his PC if he lets untrusted code run on his computer. Wow, that's QUITE a story! This up next: Dihydrogen Monoxide kills! Stay tuned!
Knight37 - Once a Gamer, Always a Gamer
Very OT, but it's the truth!
as in Invasion of the Bodysnatchers. /.ers post theses irrelevant FACTS!
You prob won't ever read this but here goes.
The severity of her injury is irrelevant to anything but determining damages...If McDonalds is at fault.
How much MacDonalds makes selling coffee is ireelevant unless you are anti-capitalist.
Perhaps a case could be made-I would still disagree-that if the coffee was hotter than that usually served at MacDonalds that they were partially responsible BUT THEY DIDN'T SPILL THE COFFEE!!! or cause it to happen IN ANY WAY!
The thing that drives me up the wall about those agreeing with the verdict is the "You don't know the facts tone"
CHRIST!! HOW many times do
And that shit is so all over the web as propaganda by tort lawyers.
Think about it If MacDonalds did not cause the accident and the coffee was at the temp they always sell it at WHY ARE THEY RESPONSIBLE???
This is the mentality that if someone is injured and someone can pay give the victim something regardless of whether the payer is responsible.
If you believe this there is no hope for you although trial lawyers will love you for it.
Just do what I do. Lock down your Internet Explorer with permissions so that only your Administrator account has access to run, read, write, modify, etc. (for windows updates and such)...then as long as you're running with a standard user account, nothing can touch your Internet Explorer.
Problem Solved...Move on.
Now. How hot do you want that coffee?