Slashdot Mirror
IE Vulnerable to Cross-Browser Spyware Attack
An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
It will be interesting to see if there is the usual 24 hour turnaround on a fix for this from the Mozilla Foundation. Lord knows Microsoft probably won't lift a finger to fix it.
FoundNews.com - get paid to blog.,
The article title/summary focuses more on how IE is to blame rather than the real root of the problem, which appears to be Java. I realize this is Slashdot and its Microsoft, but come on.
If you leave the house you will get sick. The is holes in everything. The added value of open source is the ability to patch the system quickly. If Linux had 70% of the desktop market share you would see more viruses for it. But they hole they exploit would be fixed quicker. The question really becomes getting ppl to update thier machines. That really is more fo the problem. Im sure there are plenty of unpatched systems out there spreading nimda.
"All I can tell the "lesser of two evils" folks is that if they keep voting for evil, they'll keep getting evil."-Lp.org
Isn't this a Java problem more than it is a browser problem, as it seems the installer escapes Java's sandbox and alters external files?
from the if-you-must-run-windows-remove-ie dept.
f ault.aspx
Really? The microsoft website oftens blocks browsers other than IE from downloading updates and whatnot.
You CAN'T just remove IE. You need it. Just try to update office on firefox for example:
http://office.microsoft.com/en-us/officeupdate/de
Forgot his sarcasm tags.
That's the point isn't it, though. Crappy software is installed.. spyware comes as an infection. When will we acknowledge that these spyware writers are writing viruses which infect and damage people's systems through backdoor hacking techniques?
Why are the authors not prosecuted?
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
It's important to identify that this is not a Sun JRE thing, but a user error thing!
Any time a website asks you to trust them to install something on your computer, you should probably say no. If you say yes, you are going to get owned 99% of the time.
Actually, the title of tfa should be "Firefox vulnerability could provide access to IE". The problem is Firefox or Java, not IE.
If an exploit asks you to run it, does it still count as a security exploit? It's not taking advantage of anything other than the users own stupidity/ignorance if they get infected by it. Similar to those email viruses you have to oepn the atached zip, enter the password and then run the exe to get infected by.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
To me this sounds like a Java exploit and not something you can pin on either IE, Firefox or any other browser. It would be pretty lame to demand that Firefox should protect IE from a Java exploit, yes?
HTTP/1.1 400
... and unfortunately, the system default is to have Java enabled, and the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.
Beware: In C++, your friends can see your privates!
No way, RTFA.
Firefox warns the hell out of you about allowing a signed, but unverifiable applet from installing itself. Look at the screenshot, there's three separate big warning images.
If the web browser lets you download and install software, even if it warns you that doing so might be dangerous, the author contends this is a bug. That's silly. That's the *point* of a web browser. To download content from the internet.
The security warning explicitly states, "The security certificate was issued by a company that is not trusted".
I mean, what do people expect? A little hobgoblin to pop out of their computer and whack them in the head with a mallet if they try to click 'yes'?
It's simple: I demand prosecution for torture.
you're assuming that people read these warnings. i think it's fair to say that a goodly number of users are in fact not really reading them. maybe the little hobgoblin wouldn't be such a bad idea after all... :>
ed
This is infecting the machine using a signed applet. Hello? I can do anything I want to your pc if you allow a signed applet to run. This not news. I can install a trojan, key logger, back door, whatever. Infecting IE is the least of someones problems if they allow signed applets from untrusted sources to run.
the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.
That's true, and is why I don't believe that any OS or browser is going to save us from malware. Until the average user learns safe computing practices, they're going to continue installing stuff they later wish they hadn't; in time even if they do stop running as admin, they'll get used to typing in their admin (or root) username and password.
It's official. Most of you are morons.
As other people have noted, you still have to say "yes, bone me". But people don't expect a Java applet (since it's normally firewalled) to be dangerous, so they're more likely to say "yes".
If allowing an unrestricted Java applet to run is just as dangerous as installing and running an application, then the dialog box should reflect that. If Firefox is going to make you manually approve sites that you're going to allow XPI installs from, and *then* run a countdown in the warning dialog, they need to be at least as thorough about any other operation that takes you outside the sandbox.
... and after you click "Yes" to the warning, you have granted the Java code permission to modify anything on your hard drive. So, the fact that it modifies IE is really incidental. It could just as easily modify Firefox, Mozilla, OpenOffice.org, Thunderbird, emacs, gcc, and any other application it wants to.
A better title for this article would have been "Every application vulnerable to attack due to bug in either Firefox and/or Sun's JRE".
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
The user has seen enough web dialogs to know that when you see one, you click yes. If you try to read them all you'll go mad, if you click no that cool game bob told you about doesn't work. So you click yes on everything.
I am trolling
Moot point. If you are a Firefox user, you most likely don't give a rat's ass what happens to IE anyways.
I'm confused why this is considered an IE vulnerability? And I am even more confused as to why people pin this on Java.
If a user downloads an untrusted applet and grants it unrestricted security access, EVERY SINGLE THING ON YOUR COMPUTER IS VULNERABLE. Just because this particular exploit attacks IE, doens't mean that the exact same applet couldn't be altered to infect Firefox of even something completely different like Adobe Photoshop.
http://brandonbloom.name
No this is not really a Java issue either. This is a social engineering issue.
The JRE pops up it's "Warning" dialog, like its supposed to . It displays to the user that it cannot verify who signed this, that the cert is out of date etc, like its supposed to . It displays a warning reccomending that you NOT say yes and install the applet, like its supposed to . So when you ignore all of that and say yes, you deserve to get infected. I mean, what do you want, another dialog asking "Are you sure?".
I mean 3 big yellow exclaimation marks? I've never seen that even in the most unstable of development environments.
Oh and BTW, if you say yes to a Java applet in this instance, it runs as a local application without a security manager. This is not a 'hole' it is what it is supposed to do. When you say yes, that's what you're saying 'yes' to.
Now if people were taught not to do that the same way their are taught not to run arbitrary files sent to them via e-mail, this wouldn't be a problem. (That's sarcasm BTW)
In the end, the problem is the goof behind the keyboard that is willing to say 'Yes' to run applications they don't know about and that the JRE itself warns them at least 3 times in 3 ways not to run.
How do you defend against that?
Never by hatred has hatred been appeased, only by kindness - the Buddha
Installer
Ironic that Java, famous for its sandbox, seems to be the door through which this intruder enters.
Ah I was waiting for something like this!
The sandbox works just fine, thanks.
If you click "Yes" to the question: "This applet wants to access the network and your local disks. Are you sure you want to let it do this?" then, you are in trouble, because you just answered the question "Do you want to give up all security provided by the Java sandbox by running this applet that is not even signed correctly"
There is absolutely no difference with blindly clicking "Yes" on an ActiveX installation.
The whole story is a non-issue. The issue is the "Yes" button associated with end-users.
I'd say it really has very little to do with Java, it's nothing more than ActiveX controls do in IE all the time. If a user clicks "yes" in a security warning dialog box, then the code can do whatever it wants. It's not a bug, it's working how it's designed. The "bug" that they claim is that the computer will let a user do something dumb.
The fact that it even asks that stupid question when running in a web browser is ridiculous. Even asking the questions makes it just as bad as ActiveX. It should be refusing to run outside of the sandbox without forcing the (knowledgable) user to jump through some hoops other than clicking a button.
Seriously slashdotters. . . .
At some point, the user must take some responsiblity for their own security.
System doing something unintended, without user notification or permission? Security exploit.
System doign something unitended, after user notificition and approval? Idiot exploit.
The ONLY way to stop idiots from being exploited to take the permission/aprroval step out of their hands, and give it to someone else.
Either the sys-admin, or the OS manufacturer.
The sys-admin route is already possible. We don't need anything else for that. These boxes are secure, but a giantic pain to work with, depending upon what you users needs/wants are.
The OS manufactuer route. This is the route Microsoft would love to push us all.
Dump Java. It's insecure. User our New(TM) Palladium(TM) Super-Secure Trust-In-Our-Magic-Decision-Making Signed Certificate, only MS(TM) software ActiveSecureX.
The only way to prevent (idiot) exploits such as this one, is to prevent any 'unapproved' application installs.
Ask for that, and you're asking for Trusted Computing(TM).
And I'll bet ten grand that someone will figure out how to exploit THAT, and then you'll have an pwned box that is unfixable.
This is Microsoft. Even though your users make DAMN STUPID decisions on what to install (Press Yes to Install MySpware Super-Happy Plugin!), Microsoft has proven itself to be just as, if not far more vulnerable.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Since you asked...
Create a dialog box with all the warnings. Give it an OK and a Cancel button. Closing it or clicking Cancel always causes the applet not to run.
Give is a checkbox, that says "Allow this potentially dangerous applet to run without security restrictions." Leave it unchecked.
Clicking OK while it's unchecked also causes the applet not to run.
Now the user can't accidently click yes, as two clicks are needed to unlock the applet. You can't accidently make the user install the applet by typing "Y" when the dialog suddenly pops up.
That's how all these "do something insecure" dialogs should be. I should have to explicitly check off "OK" and then hit the "Accept" button. That includes Firefox's XPI install system, which the site mentioned also tries to exploit.
That's still a fallacious argument. Firefox is no different from all other browsers in this regard. The only browser which deserves special mention is IE, since it is part of the mechanism of the attack.
I thought Java Applets run in a sandbox and can't modify local files.
They can't, unless the user clicks "I allow this applet to modify files on my harddrive. Warning, this is unsafe, only do this with applets coming from a source you trust."
This isn't a java exploit anymore than a downloaded executable is an OS exploit.
Being bitter is drinking poison and hoping someone else will die
That's true, and is why I don't believe that any OS or browser is going to save us from malware. Until the average user learns safe computing practices, they're going to continue installing stuff they later wish they hadn't; in time even if they do stop running as admin, they'll get used to typing in their admin (or root) username and password.
This isn't just a problem for the tech industry. Have a look at how many people smoke cigarettes that will kill them despite the warnings, sue large companies for spilling hot coffee on themselves, force plugs into "dummy proof" sockets, etc., etc. etc.
Some people are just plain dumb sometimes. No amount of education can cure human stupidity.
In Soviet Russia, sig types you!
Comment removed based on user account deletion
A nice intelligent choice with WinNT was the "Press Alt-Ctl-Delete" to login.
Since applications shouldn't be able to hijack that combination it adds additionaly security.
You can have a lot of fun with micking login boxes. Back when I was in uni we'd screw around with each others laptops. I got a terminal window on a friends machine and aliaed the su command to a perl script which would prompt for a password, send the password to my webserver, tell the user it was wrong, and then unalis the command so the next try would go to the real su.
Easy to do, but you'd have to be very on top of things to spot it.
It's been a long time since I worked with Java code, but I recall that once the user tells Java he "trusts" the code, (signed or unsigned), he opens himself up to a number of risks, including accessing the local filesystem and making network connections to hosts other than the host from which the applet was downloaded. This would, of course, include HTTP calls, probably using the installed default browser. I don't know about executing local programs.
So, while this may have been an exploitation of MSIE, the fact remains that it would never have occurred had the user not agreed to trust the applet. This is why it's important for developers and sites to sign their code, but more importantly, it shows the importance of embedding into end-users' brains: "Never, never, never click 'yes' when the application tells you the code is untrusted."
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
So you are telling me that someone found a way to get into a system with java, and - once there, found that it was actually more effective to try to break IE than the browser actually being used? Doesn't that sort of blow the popularity vs. intrinsic insecurity argument out of the water? I mean, the user is running firefox, right? The argument of what they are likely to use (and therefore be affected by) has pretty much been resolved at that point.
This sounds like a FUD factory somewhere is trying to come up with vulnerabilities against Firefox. Interesting that the best they can come up with so far is an exploit of IE. "Hey, wait, guys, we can make this one run with another browser! Let's run with that!"
The Giant DUH! Award goes to VitalSecurity.org, quite possibly the dumbest security company ever.
At the end of his blog, the author says that the purpose of his article is NOT to point out the social-engineering aspects of this exploit, but to point out that "most spyware installs occur when someone clicks "yes" to something they shouldn't have."
DUH!!!! What a total maroon.
Let's review. The user is presented with a dialog box that warns them, 3 times, that this thing can't be trusted, but they click 'Yes' anyway.
This is not a Firefox exploit. It is not an IE or Java exploit. It is a USER STUPIDITY exploit.
Recent versions of Firefox, at least for installing plugins, don't pop up a dialog box. Instead, there is an unobtrusive bar at the top of the window, which essentially says, "if you're missing something on this page, here's how to get it". A very similar bar is used to let you see pop-up ads, in case you actually wanted something in a pop-up. The user default may be to answer "Yes" to any dialog boxes, but they default to not messing with anything they don't have to.
Even if one option was "transfer your bank account contents to an unidentified account in Nigeria" some people would still choose it.
Some people are beyond hope.
Sent from my ASR33 using ASCII
Was it addiction then that caused them to smoke the first cigarette? Nope - it's the ye olde "I know best" and "what the (insert swear) do I care" routine.
http://jcsnippets.atspace.com/ - a collection of Java & C# snippets
I was about to go off on a tirade about the editor, but I can see from the TFA that the blame clearly rests on the original authors.
Oh good grief, my head hurts from this one:
It has nothing to do with security problems in either IE, Firefox, or Java. The user is authorizing a foreign, untrusted piece of software to run. It could happen through any browser using Sun's JRE, or an ActiveX control. It could be a script, or a trojan application. Yes, the operating system allows software to do things like this. If you can't trust yourself or your users to read warnings, then use an unprivileged account to do your browsing, and lock down the registry.
Check out this follow-up:
What's the point? If the user runs malicious software, it can do anything allowed by the user's current OS permissions, including editing parts of the registry that aren't protected. Whether or not IE is the target is irrelevant.
TFA: Troll -1
Fred
"A fool and his freedom are soon parted"
-RMS
Most applications on MacOS X do not require this sudo activity for installation. (Just drag the application bundle into /Applications and run the app using your own privileges.) There are some notable and annoying exceptions to this. For example, the Quicktime and RealPlayer installers are ordinary drag-n-drop with no sudo magic...but the Windows Media player requires sudo authentication. I can't imagine what it needs that Quicktime and RealPlayer do not. Grrr...
Still, your point is taken.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
This is unbelievable. How could news be more misleading ? This is obviously not a "vulnerability", since Firefox, IE and Java are all behaving as expected.
That being said, this dialog for trusted applets is just as misleading for people who are not Java developers. A company paying for a certificate will have a nice dialog saying the applet is safe, giving the user that warm comforting feeling, while a poor developer will only get a scary dialog, which (believe it or not) really makes users flee. In both cases a lot of users will click without thinking, "yes" if it looks nice or "no" if it looks scary. And the result will always be the same if they click "yes".
Instead, this dialog could display a useful and educational message like "Warning - if you agree, this program will be able to read, change, delete or add any file on your account, like any other program you run outside of the web browser".
I don't want to start another conspiracy theory, but this looks like Sun is somehow related to the certificate business.
This whole mess is damaging for everybody, because users might just disable Java and thus lose the ability to run programs safely (the only alternative being to download and run).
Maybe if those who used Firefox on Windows were permitted by the operating system to uninstall IE completely, this wouldn't be a problem.
That's true, and is why I don't believe that any OS or browser is going to save us from malware. Until the average user learns safe computing practices, they're going to continue installing stuff they later wish they hadn't; in time even if they do stop running as admin, they'll get used to typing in their admin (or root) username and password.
And they're going to continue doing so (and frankly, I don't blame them, and I'm a paranoid Linux-using security nut) as long as the software they use continues forcing them to click "Yes" in each dialog they see just to let them continue operating. And as long as UI designers are not worried about saturating the user with alarm stimuli (big warning boxes covering work up), this will continue to happen.
Witness Microsoft's file deletion design versus Apple's, for instance. Apple used the mouse to delete files (or, if they ever enabled this by default in mainstream Mac OS, command-backspace). Microsoft figured that they could make a "faster" keystroke, and made a single-key destructive keystroke -- Delete -- to delete files. However, to avoid the issue of users accidentally deleting files, they now had to bring up a confirmation dialog. As a result, users are constantly exposed to a steady stream of "alarm" stimuli, and it weakens the effect.
Windows has had a long history of doing exactly that. Look at a classic Mac OS desktop, back when Apple had serious UI designers instead of WinAMP skin artists doing their UI. There is no animation. None. Only things that require immediate notification (such as a modal error dialog coming up a background application's windows causing the application menu icon to flash) ever use animation, and usually do so in very minor ways, such as flashing. As a result, anything moving on a Mac OS desktop instantly grabbed the user's eye, as it meant that something important was happening. (I remember trying to get used to using gkrellm after using a Mac OS desktop -- it was terribly distracting.) Contrast this to Windows, where to ensure the user that "no, Explorer hasn't wedged again", they provide a continuous icon animation during every file copy. This approach to indicating a task in progress of unknown duration spread to a large number of Windows programs, and now animation has little meaning to a Windows desktop user -- they have been saturated with animation.
There are precious few reserved channels to get the user's attention, and most of them are annoying (like playing a sound or beeping). It is absolutely imperative that software designers *not* saturate users with stimuli that should be reserved for emergencies.
Take, for instance, warning labels on US products. They've become a CYA ("do not insert into eye"). As a result, it has become impossible to put any legitimate warnings on products and have them read, because the user is entirely saturated with red CAUTION labels -- alarm stimuli -- and his brain naturally learns that red labels have no useful content, and are not worth paying attention to.
This is not the user's fault. It is the fault of software developers who have designed user interfaces for which even users using their computer safely have warnings thrown at them constantly, until they finally, in desperation, begin to ignore the warnings.
However, I do see the problem MS faced. If they made system hooks too restrictive, it would realy hurts third party programmers that needed a system service to start up without a user login. So, ofcourse MS picked the most lucrative path, instead of the most secure ; )
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
You can't fix a behavioural problem with a technological solution.
Not trying to nitpick, but this is incorrect. It comes out on slashdot on awful lot (particluarly in relation to spam). It is better said as: "You cannot fix every behavioural problem with a technological solution."
Using another car example, switching the car off while the lights are on makes the car beep. This, in my experience, has largely solved the problem of leaving the lights on and getting a flat battery.
I am not certain if this has had the same effect in the wider population, but it is an example of where a behavioural problem of mine has been fixed by technology.
meh
Why even bother to make such a long post as AC? Additionally you obviosuly didn't read any of the facts that were linked for you, I mean how easy can I make it. This article provided by wormbin(537051) is especially easy to read, with a nice numbered list. I suggest you go read it since you got the facts you claimed to know incorrect.
Now let's break down your arguments in manner that follows logic and reason rather than off-the-hip emotional analysis as you attempted with my first post.
A) I routinely boil up some water in the kettle, pour it into a cup, [...] and hand it to someone. I expect a sane, mentally competent adult to realize that hot drinks may be hot at first. Somehow, for thousands of years, adults have managed to deal with the concept of hot drinks. The McDonalds incident wasn't even boiling -- it was *colder* than what I'm talking about.
Yes, because as we all know, water colder than boiling is incapable of harming people. You're trying to set up a straw man argument; only stupid people ever spill hot drinks on themselves, therefore this woman is stupid and it's her fault. I argue that there is no one alive who has never spilled a drink for any reason. I'd wager even you have spilled some of your delicious hot chocolate. The point here is that drinks will be spilled, and whether the person is aware of it being hot when given to them is irrelevant (also impossible to miss, I'm sure this woman was aware her hot coffee was hot). However since drinks do on occassion spill, it would be prudent for them not to be at an unreasonably dangerously hot temp. Key phrase here is 'unreasonably dangerously' as all hot liquids are to some degree dangerous, but we can mitigate that by keeping the temp a bit lower. In your example the person knew for a fact the cocoa they were given was just at the boiling point, this woman had no idea precisely hot hot her coffee was. I think a consumer given a hot drink can have a reasonable expectation that it is drinkably hot, not barely sub-boiling.
B) There are a ton of people that eat at McDonalds who *didn't* find the coffee "way above what any reasonable person would consider acceptable" -- including this woman, if she'd ever had a McDonald's coffee before.
First, I don't understand how this woman having had McD coffee in the past somehow waives her right to ever declare it too hot. And once again you are marginalizing the point here by saying if X people didn't have a problem then X+1 will not have a problem. A fallacy. Just because Joe Citizen likes his coffee a scalding 185, doesn't make that temperature any safer for consumption.
C) They had received numerous complaints about it prior to the incident
They're McDonald's. They're enormous. They have complaints about coffee being too hot, meat not being kosher, coffee being too cold, a lack of Italian buns, and so forth. It would be unusual if they had *nobody* mentioning it.
True, this is perhaps your best point, but again here you show your lack of actual facts of the case. It wasn't just that some trivial subset of people had made this complaint, there were in fact over 700 incidents of coffee burns on file. That's just burns, I'm sure the number of 'too hot' complaints are therefore well above 700. I'd say 700 burn cases easily eclipses the other trivial complaint statistics. And by-the-by, no one needed medical treatment for the food being not kosher or no italian buns. Obviously the company cannot please everyone but potential injuries should rank high on the to-fix list.
And if you were familiar with the case and were being honest, you would have mentioned that all the *other* coffees from the *other* fast-food places caused the same burns -- it's just that McDonald's, being the hottest of the temperature range by ten degrees, did so faster.
I bolded the being honest bit above because it per
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Oh pu-leaze.... If MS had made the system hooks restricted, programmers would have been climbing the walls over how MS locked everyone out of the OS and slashdotters doing the same "MS sucks and this is why *nix rules". Complain about one or the other, but MS got it right on this decision.
And just to keep on topic, I wish everyone would get off this "IE sucks" trip. IE is part of the OS now... this crap doesn't infect IE anymore, it infects Windows. Now, lets change all these little rants I see all over this post. User goes to a webpage. Firefox gets to a Java applet and passes control to the JRE. JRE asks 3 times if they want to continue, and the user clicks "Yes" (because that is what they have been trained to do) and Windows gets infected. This isn't a software exploit. This is a user (ie. idiot) exploit that was not anticipated by Sun. If Sun would change their warning dialog to make someone put a checkmark in a box to accept instead of just clicking "Yes", this wouldn't happen. But again, not Sun's fault, but something that could easily be fixed by them.
User logging on... 300 baud... 300 BAUD?!? (Click!) NO CARRIER
This is awesome. Now even Windows users who switch over from IE are fucked because windowsupdate.com doesn't play well with other browsers.