Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Vulnerable to Cross-Browser Spyware Attack

Posted by timothy on from the if-you-must-run-windows-remove-ie dept.

An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

34 of 619 comments (clear)

  1. Caveat by Kimos · · Score: 5, Informative

    IF you're running Java and you click 'Yes' to the security warning...

    1. Re:Caveat by Deathlizard · · Score: 5, Informative

      what makes this even more scary is that it isn't technicially a bug.

      There is nothing stopping the spyware company from getting a valid signature and packaging it. It happens all the time in IE. In fact, most of the spyware installers out there for IE are digitally signed.

      Using Java, they could easily socially engineer you to download and trust this thing, use Java to find out what OS your running, download spyware/rootkits/etc for your particular PC OS and own your box totally independant of IE.

      A lot of the reason why Firefox is so safe is because it doesn't support ActiveX and prompt you all day to install the legacy scumware stuff. If it did support ActiveX in any way it would be prompting you just like IE would, People would click on yes just like they do in IE, and people would get owned just like they do with IE. Since it supports Java, however, they will just gamble that you have Java and get you to do the same thing they were doing in ActiveX, only with Java instead.

      The Spyware writers know that 99% of computer users dont know what they are doing and they exploit that, Pure and simple, And there's nothing that Bill Gates, Linus Torvalds, or Steve Jobs is going to do about that. This is what Kevin Mitnick has been preaching for some time now, that social Engenering is the hackers favorite tool, and until anyone who writes internet enabled code understand that, there's going to be a really big security problem in the future.

      --
      In Soviet Russia, Trojan exploits YOU!
    2. Re:Caveat by pilkul · · Score: 3, Informative
      sue large companies for spilling hot coffee on themselves

      This case was actually less silly than it sounds. McDonalds was intentionally serving their coffee hotter than safe levels in order to make people take longer to drink it, thus decreasing the number of free refills they had to give out and saving them money. They were repeatedly warned about this but continued serving the coffee too hot, thus the lawsuit.

    3. Re:Caveat by cat_jesus · · Score: 4, Informative

      More like, thus the big hit on damages. The other problem with the McDonald's case is the cofffee was hot enough to cause third degree burns. It is illegal to sell food in a restaurant that is inedible or dangerous. The lady in question knew she did a dumb thing but she suffered third degree burns on her inner theighs which required skin grafts. She could not afford to pay her medical bills(she was very old and on a fixed income) and asked McDonald's to pay. She was not seeking any compensation past her own medical bills. When the jury found out that McDonald's knew their coffee was too hot, knew people were getting injured and figured the number of people getting third degree burns was acceptable, they stuck it to McDonald's.

      If anything, this was a case that demonstrated why we need to be able to sue the shit out of a company when it deliberately harms people.

      The devil is in the details.

    4. Re:Caveat by Jtheletter · · Score: 4, Informative
      sue large companies for spilling hot coffee on themselves

      I'm going to give you the benefit of the doubt on this one and assume you're referring to some other case involving a hot coffee suit, and not the infamous McDonalds suit. If you actually take the time to read the details of the McD's suit you'll see that the franchise in question was serving coffee at a temperature way way above what any reasonable person would consider acceptable. They had received numerous complaints about it prior to the incident, and the woman who was burned by the coffee received severe 2nd and 3rd degree burns. In other words - the suit was totally warranted. Any coffee at a temperature high enough to cause 3rd degree burns through clothing is unsafe and should not be served.

      I provide this info for other readers who may not know the details of the case but love to point to it as an example of a frivolous lawsuit when in fact it is completely justified.

      Relevant Links:
      reference article
      google search on topic

      --
      -- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
    5. Re:Caveat by MrLint · · Score: 2, Informative

      The macosx has a details turndown to show 'requested right' which in my test case is system.install.root.user

      and application /Applications/Utilities/Installer.app

      It should be noted that this is from an mkpg, Im looking to see if I have a standalone application installer around

    6. Re:Caveat by Plutor · · Score: 2, Informative

      The lady in question knew she did a dumb thing...

      She did no dumb thing. It is often reported that she 1) was driving, and 2) placed the cup between her legs. Neither is true. Her son was driving, and she was in the passenger's seat. She merely grabbed the cup, which had an inadequately secured lid, and was therefore far less stable.

    7. Re:Caveat by ArekRashan · · Score: 1, Informative
      Please, not this tired shit again.

      //yro.slashdot.org/yro/03/12/22/1239222.shtml?tid= 123&tid=126&tid=95&tid=99

      //yro.slashdot.org/article.pl?sid=03/02/06/184213

      //slashdot.org/articles/04/02/27/1358236.shtml

      //yro.slashdot.org/article.pl?sid=03/01/07/1230212 &mode=thread&tid=123

      CTRL-F for 'coffee' ought to do yer fine. Go re-read the great Slashdot coffee debates of yesterday if that provides the surcease your grubby heart seems to require. Nurse old wounds and insults. But keep your obnoxious little fetish to yourself, okay?

      This isn't even a YRO article. Civil Law is not specifically a subject of the article but should be considered on-topic so long as it relates to the subject of the article under discussion.

      Malicious websites are installing a malware bundle that can defeat the security of the following browsers: Firefox, Mozilla, Netscape. Daniel Veditz, Mozilla security head, says Opera and Netcaptor aren't immune. This bundle requires java to operate. The hook that makes this different enough to be interesting is that the bundle installs a whole package of horrible Internet Explorer spyware, even if your IE is as locked down as you can get it. Granted, the user has to click a button so it's not a total disaster.

      Unfortunately, most of us don't have the razer hacker precision it takes to read each button in lazer detail eath time we see it. I see this particular incident as another indictment of the practice of browsing the web with too many user privileges unsecured. More specifically, I wonder if it was wise for Microsoft to integrate (assimilate) the web browser into the operating system, thereby transforming a necessary security hole into a systemic 'Open for business' aperture which provides access to nearly any part or process of a system so transformed.

      .

      How did we get so badly off-topic? And why, why this topic?

      As I have said, I would consider Civil Law to have a reasonable place in the wider discussions of security in theory and current implementation that such an article might hope to provoke. Specific civil lawsuits might have relevance, especially if they involved parties named Microsoft, Netscape, Mozilla Foundation, or Sun MicroSystems. Liebeck v. McDonald's Restaurants is not funny anymore, much less on-topic.

      Let's examine the particulars.

      McDonald's Coffee. Slashdot.

      Great-grandparent poster:

      That's true, and is why I don't believe that any OS or browser is going to save us from malware. Until the average user learns safe computing practices, they're going to continue installing stuff they later wish they hadn't; in time even if they do stop running as admin, they'll get used to typing in their admin (or root) username and password.

      This is in direct relation to the subject of the article. Good Job, Great-grandparent poster!

      The grandparent poster had this to say in response:

      This isn't just a problem for the tech industry. Have a look at how many people smoke cigarettes that will kill them despite the warnings, sue large companies for spilling hot coffee on themselves, force plugs into "dummy proof" sockets, etc., etc. etc.

      Some people are just plain dumb sometimes. No amount of education can cure human stupidity.

      Way to cast the first stone, Grandparent poster! You get points for a sane response to an on-topic post, but you lose them all by using nine little words. sue large companies for spilling hot coffee on the

    8. Re:Caveat by NutscrapeSucks · · Score: 2, Informative

      Most big PC OEMs (Dell, HP) ship with Sun Java installed. Also Apple and as you might guess, Sun.

      --
      Whenever I hear the word 'Innovation', I reach for my pistol.
    9. Re:Caveat by Kiryat+Malachi · · Score: 3, Informative

      By serving the liquid at 190+ degrees fahrenheit, a temperature at which dermal tissue will suffer third-degree burns (which is not defined as charring, but rather as a burn affecting all of the layers of the skin, including the deep dermal tissue, and sometimes burning into subcutaneous layers of fat, muscle, and even bone) in less than 10 seconds of direct contact.

      Charring is not, despite Wikipedia's insistence, the sole arbiter of burn degree; depth of burn is the arbiter generally used.

      --

      ---
      Mod me down, you fucking twits. Go ahead. I dare you.
      (I read with sigs off.)
  2. Bogus Headline by karmatic · · Score: 5, Informative

    The spyware installs itself using Java. It's not browser-specific; you can infect IE using Mozilla, Opera, IE, etc.

    There _is_ a dialog box, since the applet is unsigned. I tried signing it with my certificate; it installed itself without prompting. I believe it uses some sort of JRE exploit.

    1. Re:Bogus Headline by Crazy+Man+on+Fire · · Score: 4, Informative

      No "exploit" here. AFAIK, code signed by a trusted certificate can run without prompting the user.

    2. Re:Bogus Headline by Anonymous Coward · · Score: 1, Informative

      That permission is called trusting the applet, which the user has done. (If you sign it with your own certificate you probably have already marked that certificate as trusted so it still runs)

  3. Not just browsers. by meisenst · · Score: 5, Informative

    It's important to identify that if this is not a browser thing, but a Sun JRE thing, any Java-enabled program that can come in contact with the installer applet could potentially infect your system.

    --
    Green's Law of Debate: Anything is possible if you don't know what you're talking about.
  4. Let me get this straight... by bersl2 · · Score: 5, Informative

    By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer.... VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

    So, the attack happens through Sun's JVM, affects IE, and consequently has nothing to do with Firefox, which was inserted into the article for maximum troll capability.

    1. Re:Let me get this straight... by m50d · · Score: 2, Informative

      No, because the attack happens when browsing with firefox, or in fact anything using Sun's JVM, but firefox is the only popular alternative. So even if you're running firefox for your pr0n surfing and only using IE for trusted sites like your bank that require it, you're vulnerable. Which is newsworthy.

      --
      I am trolling
  5. Re:This can already happen by Mad+Merlin · · Score: 3, Informative

    As has been mentioned before on Slashdot, the new versions of Flash come with the Yahoo! toolbar also.

    --
    Game! - Where the stick is mightier than the sword!
  6. Re:Remove IE..... by MrDomino · · Score: 3, Informative

    Actually, it's possible. It's not particularly easy, but it can be done.

  7. Trend Micro by mazevedo · · Score: 3, Informative

    When I tried to open the page he shows as the source of infection, my TrendMicro Antivirus Software automaticaly detected it and trashed it.

    What scares me most, is that FF didn't ask to download the file, it just downloaded the JAR into the cache folder.

    --
    mazevedo
  8. Re:Java by JPrice · · Score: 4, Informative

    It doesn't "escape" the sandbox... the user explicitly grants it permission to play outside of the sandbox.

    Java is behaving in exactly the manner it's designed and advertised to act.

  9. Re:Java by RetroGeek · · Score: 5, Informative

    the installer escapes Java's sandbox

    No. The user unlocks and opens the door, THEN the exploit escapes.

    All the systems are working as designed. It is the user who opens the door.

    --

    - - - - - - - - - - -
    I am a programmer. I am paid to produce syntax not grammar. Deal with it.
  10. Re:IE? by oglueck · · Score: 5, Informative

    This has nothing to do with Firefox or the JRE, nor IE. The JRE's security manager properly issues are warning that the user is about to run arbitrary code. It's like an email worm. The user's interaction and ignorance is need to spread the thing.

  11. Re:Not a Java Exploit by Anonymous Coward · · Score: 5, Informative

    There are two types of Java applets: signed and unsigned. Unsigned applets run in a sandbox inside your Web browser. A Java exploit would be an unsigned applet that could "get out" and do something malicious. This doesn't seem to be an unsigned applet.

    Signed applets don't run inside a sandbox. A signed applet can do anything that any other executable program can do; including formatting your disk or installing spyware. They are not any safer than programs written in C or assembly language.

    --Steve

  12. Well, if they ran my posting ... by Anonymous Coward · · Score: 1, Informative
    I also submitted an article on this. [Big kharma hit for bitching, eh?]

    I included in mine a link (off the VitalSecurity page, but still ...) to a discussion thread that indicates Opera was not vulnerable. I wasn't able to get the warning (nor the attempt to install) using either the release nor beta versions of Opera for Windows.

    As well, I was able to prevent infection attempts in FireFox by blocking connections to *.ysbweb.com. [your search bar]. (The Proxomitron is your friend.)

    The company that signed the applet is "Integrated Search Technologies", which is apparently targetted by several anti-spyware programs.

  13. Re:Same old story by SirTalon42 · · Score: 4, Informative

    Its Java, nothing to do with FireFox.

  14. Re:If you are using Firefox, you won't need to use by wk633 · · Score: 3, Informative

    You missed the part where IE opened on its own. Unless you have REMOVED IE from your system (good luck) or never had it in the first place (ya, ya, Mac and Linux and BSD are great) then you care about this.

  15. Re:The assumption was that Java Applets can't 0wn by JohnnyCannuk · · Score: 4, Informative

    No the prompt was from the JRE indicating that the applet that was being downloaded was asking for special privileges, beyond that of the sand box (see the picture in the middle of the Vital Security article). 3 excalimation marks, big and yellow, telling the user that it couldn't verify the authenticity of the applet, that the cert used to sign it had expired and then warned the user specifically to NOT say yes.

    The idiot said yes anyway.

    Now, if this happened without those warning, then there would be an issue. But that is not the case. The JRE functioned as it was designed to - to allow for extra privileges to be granted to an applet under certain circumstances and to vigorously warn the user and present them with information before hand. It was the user that ignored the warning, not the JRE.

    Note to self: never get advice from "Vital Security" about security because anyone that would ignore that kind of warning from a site they did not know is definitely NOT a security professional

    --
    Never by hatred has hatred been appeased, only by kindness - the Buddha
  16. Re:The assumption was that Java Applets can't 0wn by WhiteWolf666 · · Score: 2, Informative

    Java applets can do all sorts of things.

    It is not true that they can't 0wn your box.

    In fact, whoever told you that should be shot.

    Java is very powerful, and can do many, many interesting things.

    If it works properly (i.e. no exploits), than a Java applet will not be able to silently 0wn your box.

    It'll request permissions, and you'll have to approve it.

    There are two possible circumventions.

    1. Set system-wide permissions too low. By default, they come pretty restrictive. I would not suggest changing them.

    2. Exploit in the JRE. Has happened before (rarely). This doesn't count.

    Java is not a pure safe language. Java does not run its applets in an entirely isolated Virtual Machine.

    Java, however, does not experience buffer overruns (which lead to exploits), and does not experience a variety of other security problems.

    No exploits != No 0wnage.

    No explots = No 0wnage without requesting securityt permissions.

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  17. Re:Secure login by Xoder · · Score: 2, Informative

    Actually, the three magic fingers doesn't do what its supposed to anymore. You can now create a virtual desktop, and do whatever you like with that key combo. I read about it in DDJ. MS is happy to have made it, since it makes the kiosk software people happy.

    and Re: the script: devilishly clever, sir.

    --
    The previous sig has been removed due to /. protecting your best interests
  18. Re:The assumption was that Java Applets can't 0wn by matman · · Score: 2, Informative

    In response to the other responses....

    Sorry for the oversight - this has nothing to do with SSL. The browser is prompting the user, stating that the authenticity of the cert can not be validated and is asking the user whether the applet should be trusted anyway. The user is not being asked whether the applet should be trusted with elevated privilege to install software. In fact, in Firefox certificate trusts and software installation trusts are two seperate configuration spaces. Even if the user read the firefox documentation, they would expect to be prompted explicitly for software installs, independantly from certificate issues. There is no mention of privilege or software installation on that dialogue.

    My expectation for an applet with a bad cert trying to install software is to:
    1. Prompt for trust of certificate
    2. AND prompt for permission to install software

    My expectation was that trusting this certificate will:
    1. if defined in Firefox's Software Install config, run under configured settings for that particular domain
    2. OR prompt for further privilege (to install software)

    Users are also so used to ignoring certificate problems for SSL sites that the user will always ignore certificate problems for sites that they do not trust. Users do not care if confidentiality and/or integrity of communications with an untrusted site are compromised as they don't really trust the communication to begin with. Users assume (as they should) that attempts by untrusted sites to do anything which may violate security will be prompted for or denied by default.

    The notice that Firefox has stopped the installation of software will be disregarded by the user as the user will believe that the installation has been blocked and can only be unblocked by right clicking on that notice. The dialogue with which the user is interacting will not be assumed to be related to the notice that installation of software was prevented.

    If it is the case that trusting the applet by providing a positive response to this dialogue results in the applet running outside of a sandbox, I would argue that the dialogue is misleading and extremely dangerous. In this case the dialogue must be changed to be more clear. The dialogues presented by Firefox (or the JVM?) are completely inadequate and must be fixed. Claming that everything is working fine is rediculous if the guy only accepted the dialogue as shown in the screenshot. The user is not at fault.

    Further, assuming that there was no certificate problem (eg if the attacker had a Verisign certificate), would the user have been prompted with anything? I certainly would not expect that anyone with a Verisign certificate has an ability to run applets at elevated privilege without me being prompted by my browser. If browsers/JVM will run all signed applets at an elevated privilege I would consider that a major vulnerability and a completely bone headed design. I don't think that this is the case and expect that the user would have to define the host as being allowed to install software in the Firefox configuration.

    W.R.T. the security professional comment... few except for those professionals who have in depth experience with applet security would know to have expectations other than those which I described in this message. One can not be an expert in everything. I would suggest that you meant that anyone who would ignore that kind of warning from a site they did not know, on a box they care much about, is definitely NOT a security professional.

  19. Re:Secure login by m50d · · Score: 3, Informative

    Erm, it took about a week for a trojan which intercepted the ctrl-alt-del to come out.

    --
    I am trolling
  20. Re:Remove IE..... by MrDomino · · Score: 3, Informative
    The only thing I use it for is to go to the M$ site and grab security updates, I can't be bothered to look for a new way to do that and also don't see any reason why it would be worth it.

    There's actually a solution for that, too. One relatively painless Firefox extension install, and you no longer have any need to keep IE on your computer. Now, granted, you might say that you don't trust WindizUpdate; on the other hand, though, do you trust Microsoft?

  21. McAfee VirusScan by brettlbecker · · Score: 3, Informative

    When I visited http://www.lyricspy.com/ (this site listed as being the origin in the VitalSecurity story) I immediately receive a pop-up warning from McAfee 8.0 that the file "javainstaller.jar" is a Trojan, and an "exploit". The installer window never appears at all.

    Additionally, Firefox automatically blocks the installation with its pop-up blocker, so it appears that, with my settings (which are not terribly restrictive), I have a double layer of security preventing me from even getting to the point of clicking "yes" to the installer.

    Not too big a deal, this, but it is good to know that following basic security procedures like keeping virus definitions up to date and using the pop-up blocker correctly can make it a lot easier to avoid the kind of crap this story deals with. I do realize, however, that a great many people do not follow these guidelines, and that that is the point of the story.

    But I would like to point out that it seems that I am not quite as vulnerable as this story makes it appear that I will be (when running Windows). And, of course, if I flip over to my Fedora Core 3 partition, this problem goes away entirely.

    And yes, I am using the Sun Java Runtime.

    B

    --
    "We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
  22. The coffee case was frivolous by Anonymous Coward · · Score: 1, Informative

    If you actually take the time to read the details of the McD's suit you'll see that the franchise in question was serving coffee at a temperature way way above what any reasonable person would consider acceptable.

    A) I routinely boil up some water in the kettle, pour it into a cup, put hot chocolate mix in it, and hand it to someone. I expect a sane, mentally competent adult to realize that hot drinks may be hot at first. Somehow, for thousands of years, adults have managed to deal with the concept of hot drinks. The McDonalds incident wasn't even boiling -- it was *colder* than what I'm talking about.

    B) There are a ton of people that eat at McDonalds who *didn't* find the coffee "way above what any reasonable person would consider acceptable" -- including this woman, if she'd ever had a McDonald's coffee before.

    C) They had received numerous complaints about it prior to the incident

    They're McDonald's. They're enormous. They have complaints about coffee being too hot, meat not being kosher, coffee being too cold, a lack of Italian buns, and so forth. It would be unusual if they had *nobody* mentioning it.

    They had received numerous complaints about it prior to the incident, and the woman who was burned by the coffee received severe 2nd and 3rd degree burns.

    And if you were familiar with the case and were being honest, you would have mentioned that all the *other* coffees from the *other* fast-food places caused the same burns -- it's just that McDonald's, being the hottest of the temperature range by ten degrees, did so faster.

    I provide this info for other readers who may not know the details of the case but love to point to it as an example of a justified lawsuit when in fact it is completely frivolous.