Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Vulnerable to Cross-Browser Spyware Attack

Posted by timothy on from the if-you-must-run-windows-remove-ie dept.

An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

14 of 619 comments (clear)

  1. Caveat by Kimos · · Score: 5, Informative

    IF you're running Java and you click 'Yes' to the security warning...

    1. Re:Caveat by Deathlizard · · Score: 5, Informative

      what makes this even more scary is that it isn't technicially a bug.

      There is nothing stopping the spyware company from getting a valid signature and packaging it. It happens all the time in IE. In fact, most of the spyware installers out there for IE are digitally signed.

      Using Java, they could easily socially engineer you to download and trust this thing, use Java to find out what OS your running, download spyware/rootkits/etc for your particular PC OS and own your box totally independant of IE.

      A lot of the reason why Firefox is so safe is because it doesn't support ActiveX and prompt you all day to install the legacy scumware stuff. If it did support ActiveX in any way it would be prompting you just like IE would, People would click on yes just like they do in IE, and people would get owned just like they do with IE. Since it supports Java, however, they will just gamble that you have Java and get you to do the same thing they were doing in ActiveX, only with Java instead.

      The Spyware writers know that 99% of computer users dont know what they are doing and they exploit that, Pure and simple, And there's nothing that Bill Gates, Linus Torvalds, or Steve Jobs is going to do about that. This is what Kevin Mitnick has been preaching for some time now, that social Engenering is the hackers favorite tool, and until anyone who writes internet enabled code understand that, there's going to be a really big security problem in the future.

      --
      In Soviet Russia, Trojan exploits YOU!
    2. Re:Caveat by cat_jesus · · Score: 4, Informative

      More like, thus the big hit on damages. The other problem with the McDonald's case is the cofffee was hot enough to cause third degree burns. It is illegal to sell food in a restaurant that is inedible or dangerous. The lady in question knew she did a dumb thing but she suffered third degree burns on her inner theighs which required skin grafts. She could not afford to pay her medical bills(she was very old and on a fixed income) and asked McDonald's to pay. She was not seeking any compensation past her own medical bills. When the jury found out that McDonald's knew their coffee was too hot, knew people were getting injured and figured the number of people getting third degree burns was acceptable, they stuck it to McDonald's.

      If anything, this was a case that demonstrated why we need to be able to sue the shit out of a company when it deliberately harms people.

      The devil is in the details.

    3. Re:Caveat by Jtheletter · · Score: 4, Informative
      sue large companies for spilling hot coffee on themselves

      I'm going to give you the benefit of the doubt on this one and assume you're referring to some other case involving a hot coffee suit, and not the infamous McDonalds suit. If you actually take the time to read the details of the McD's suit you'll see that the franchise in question was serving coffee at a temperature way way above what any reasonable person would consider acceptable. They had received numerous complaints about it prior to the incident, and the woman who was burned by the coffee received severe 2nd and 3rd degree burns. In other words - the suit was totally warranted. Any coffee at a temperature high enough to cause 3rd degree burns through clothing is unsafe and should not be served.

      I provide this info for other readers who may not know the details of the case but love to point to it as an example of a frivolous lawsuit when in fact it is completely justified.

      Relevant Links:
      reference article
      google search on topic

      --
      -- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
  2. Bogus Headline by karmatic · · Score: 5, Informative

    The spyware installs itself using Java. It's not browser-specific; you can infect IE using Mozilla, Opera, IE, etc.

    There _is_ a dialog box, since the applet is unsigned. I tried signing it with my certificate; it installed itself without prompting. I believe it uses some sort of JRE exploit.

    1. Re:Bogus Headline by Crazy+Man+on+Fire · · Score: 4, Informative

      No "exploit" here. AFAIK, code signed by a trusted certificate can run without prompting the user.

  3. Not just browsers. by meisenst · · Score: 5, Informative

    It's important to identify that if this is not a browser thing, but a Sun JRE thing, any Java-enabled program that can come in contact with the installer applet could potentially infect your system.

    --
    Green's Law of Debate: Anything is possible if you don't know what you're talking about.
  4. Let me get this straight... by bersl2 · · Score: 5, Informative

    By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer.... VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

    So, the attack happens through Sun's JVM, affects IE, and consequently has nothing to do with Firefox, which was inserted into the article for maximum troll capability.

  5. Re:Java by JPrice · · Score: 4, Informative

    It doesn't "escape" the sandbox... the user explicitly grants it permission to play outside of the sandbox.

    Java is behaving in exactly the manner it's designed and advertised to act.

  6. Re:Java by RetroGeek · · Score: 5, Informative

    the installer escapes Java's sandbox

    No. The user unlocks and opens the door, THEN the exploit escapes.

    All the systems are working as designed. It is the user who opens the door.

    --

    - - - - - - - - - - -
    I am a programmer. I am paid to produce syntax not grammar. Deal with it.
  7. Re:IE? by oglueck · · Score: 5, Informative

    This has nothing to do with Firefox or the JRE, nor IE. The JRE's security manager properly issues are warning that the user is about to run arbitrary code. It's like an email worm. The user's interaction and ignorance is need to spread the thing.

  8. Re:Not a Java Exploit by Anonymous Coward · · Score: 5, Informative

    There are two types of Java applets: signed and unsigned. Unsigned applets run in a sandbox inside your Web browser. A Java exploit would be an unsigned applet that could "get out" and do something malicious. This doesn't seem to be an unsigned applet.

    Signed applets don't run inside a sandbox. A signed applet can do anything that any other executable program can do; including formatting your disk or installing spyware. They are not any safer than programs written in C or assembly language.

    --Steve

  9. Re:Same old story by SirTalon42 · · Score: 4, Informative

    Its Java, nothing to do with FireFox.

  10. Re:The assumption was that Java Applets can't 0wn by JohnnyCannuk · · Score: 4, Informative

    No the prompt was from the JRE indicating that the applet that was being downloaded was asking for special privileges, beyond that of the sand box (see the picture in the middle of the Vital Security article). 3 excalimation marks, big and yellow, telling the user that it couldn't verify the authenticity of the applet, that the cert used to sign it had expired and then warned the user specifically to NOT say yes.

    The idiot said yes anyway.

    Now, if this happened without those warning, then there would be an issue. But that is not the case. The JRE functioned as it was designed to - to allow for extra privileges to be granted to an applet under certain circumstances and to vigorously warn the user and present them with information before hand. It was the user that ignored the warning, not the JRE.

    Note to self: never get advice from "Vital Security" about security because anyone that would ignore that kind of warning from a site they did not know is definitely NOT a security professional

    --
    Never by hatred has hatred been appeased, only by kindness - the Buddha