IE Vulnerable to Cross-Browser Spyware Attack

An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

who fixes it?

[dirvish]

It will be interesting to see if there is the usual 24 hour turnaround on a fix for this from the Mozilla Foundation. Lord knows Microsoft probably won't lift a finger to fix it.

Re:who fixes it?

Though rather than just asking, "Do you want to trust this applet", they should be a bit more explicit, "Trusting this applet will give it unrestricted access to your machine, and can install or change files, and access other computers through the network."

Re:who fixes it?

[zootm]

This is a "vulnerability" in Java, not Mozilla. The reason it's "cross-browser" is because it's written in Java, and will work on any browser using Sun's JRE (and probably any other compliant one). It's not even a vulnerability in Java, strictly speaking -- it's a signed applet, with an invalid signature, and the user has to click past an ugly-looking "this is unsafe!" error page to infect themselves.

Re:who fixes it?

[delus10n0]

I had an interesting idea the other day regarding this; what about "user-moderated" signings; the browser/JRE/active-x could query a server, with something like "applet GUID xxxx-xxxx-xxxx-xxxx, what's the current status?", and the server would return a hard (good/bad) or soft (percentages) ranking. Users could report if a given applet is bad, and leave comments. Those reports would also be moderated, of course, to prevent people from writing false reports.

The downside, of course, is that there would have to be some sort of master server for storing/relaying this information... and that'd be quite a task.

The whole "signed"/"unsigned" model is semi-broken, at least to the non-geeky. They have no idea what that means. I also think the dialogs should be severely re-designed and re-worded..

Misleading title

[kevin_conaway]

The article title/summary focuses more on how IE is to blame rather than the real root of the problem, which appears to be Java. I realize this is Slashdot and its Microsoft, but come on.

Re:Misleading title

[Allicorn]

Firefox isn't to blame here, its presented a very large, very clear, very threatening warning message.

Java isn't to blame here, its honored the unrestricted access permission given to the applet by the user.

IE isn't even to blame here (!), its just a target. Once the applet is running without restrictions, it can do anything any other executable could do.

This "exploit" could be delivered via some other JavaPlugin-enabled browser and modify any other peice of software installed on your box.

The blame here, at least in the case of the original article on Vital Security would appear to be the author experiencing a profound "curiosity killed the cat" moment.

But you still need IE.

[cy_a253]

from the if-you-must-run-windows-remove-ie dept.

Really? The microsoft website oftens blocks browsers other than IE from downloading updates and whatnot.

You CAN'T just remove IE. You need it. Just try to update office on firefox for example:

http://office.microsoft.com/en-us/officeupdate/def ault.aspx

Re:But you still need IE.

[Rude+Turnip]

My approach to IE has been this...in my mind it's no longer a "web browser." To me, IE is *only* to be used as Microsoft's "software update tool," much like how Apple has a dedicated software update tool for OS X.

You can't use Firefox to automatically update Office, but you can manually download patches with Firefox. However, you can use the Microsoft Software Update Tool (formerly Internet Explorer) to automatically find updates.

Re:But you still need IE.

[NanoGator]

"You CAN'T just remove IE. You need it. Just try to update office on firefox for example:"

No problem. Office XP SP 3 coming right up!"

And here is Windows XP Service Pack 2.

Both found and downloaded via Opera. What you don't get is Automatic Update. Can't argue that, but it's not like the updates you need aren't accessible without IE.

Re:" IE can already be infected"

[CdBee]

That's the point isn't it, though. Crappy software is installed.. spyware comes as an infection. When will we acknowledge that these spyware writers are writing viruses which infect and damage people's systems through backdoor hacking techniques?

Why are the authors not prosecuted?

Re:Not just browsers.

[Crazy+Man+on+Fire]

It's important to identify that this is not a Sun JRE thing, but a user error thing!

Any time a website asks you to trust them to install something on your computer, you should probably say no. If you say yes, you are going to get owned 99% of the time.

Re:Same old story

[sosume]

Actually, the title of tfa should be "Firefox vulnerability could provide access to IE". The problem is Firefox or Java, not IE.

Is it still a security hole?

[Ironsides]

If an exploit asks you to run it, does it still count as a security exploit? It's not taking advantage of anything other than the users own stupidity/ignorance if they get infected by it. Similar to those email viruses you have to oepn the atached zip, enter the password and then run the exe to get infected by.

Re:Is it still a security hole?

[tehshen]

If an exploit asks you to run it, does it still count as a security exploit?

Yes, it does - it's exploiting their stupidity, not only the program's vulnerabilities. The vast uneducated public, who will jump at the chance of free blue monkeys giving them a firewall to stop their computer broadcasting an IP address that can be seen by hackers to steal your children, will be the ones who will get infected by exploits like this. And it's not as if you have to open a zip, enter a password and run an exe to get infected with this, just a simple "Yes" click - and most users do that just to make the dialog box go away.

The ShellBlock vulnerability in Firefox was considered an 'exploit' - like this case, it was doing the right thing (passing shell:// commands to Windows), but could be exploited.

Java Exploit

[miffo.swe]

To me this sounds like a Java exploit and not something you can pin on either IE, Firefox or any other browser. It would be pretty lame to demand that Firefox should protect IE from a Java exploit, yes?

Re:Caveat

[Jugalator]

... and unfortunately, the system default is to have Java enabled, and the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.

Re:Ahem...

[Anthony+Liguori]

No way, RTFA.

Firefox warns the hell out of you about allowing a signed, but unverifiable applet from installing itself. Look at the screenshot, there's three separate big warning images.

If the web browser lets you download and install software, even if it warns you that doing so might be dangerous, the author contends this is a bug. That's silly. That's the *point* of a web browser. To download content from the internet.

I'm not defending IE by any stretch...

[bob670]

but this has a lot more to do with bad surfing and usage habits than IE at this point. If you haven't learned not to click on every damn pop up window, click yes on every dialog box and follow links to sites riddled with porn and warez ads then you get what you deserve. While I tend to use Mac OS X for most everything now, I have yet to get hit with spyware or a virus the entire time I have used 98Se/2000/XP. I got one virus on Win 95 and it served as a wake up call to watch what I was doing and think before I clicked yes. Yes, MS is responsible for some of this, and I am not trying to place blame on victims, but take some responsibility for your computer or put it back in the box and return it to Dull or Worst Buy.

Re:Caveat

[sfjoe]

The security warning explicitly states, "The security certificate was issued by a company that is not trusted".

I mean, what do people expect? A little hobgoblin to pop out of their computer and whack them in the head with a mallet if they try to click 'yes'?

re: caveat

[ed.han]

you're assuming that people read these warnings. i think it's fair to say that a goodly number of users are in fact not really reading them. maybe the little hobgoblin wouldn't be such a bad idea after all... :>

ed

Non-issue

[Nemi]

This is infecting the machine using a signed applet. Hello? I can do anything I want to your pc if you allow a signed applet to run. This not news. I can install a trojan, key logger, back door, whatever. Infecting IE is the least of someones problems if they allow signed applets from untrusted sources to run.

Re:Caveat

[Tim+C]

the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.

That's true, and is why I don't believe that any OS or browser is going to save us from malware. Until the average user learns safe computing practices, they're going to continue installing stuff they later wish they hadn't; in time even if they do stop running as admin, they'll get used to typing in their admin (or root) username and password.

Social engineering, but still a problem...

[argent]

As other people have noted, you still have to say "yes, bone me". But people don't expect a Java applet (since it's normally firewalled) to be dangerous, so they're more likely to say "yes".

If allowing an unrestricted Java applet to run is just as dangerous as installing and running an application, then the dialog box should reflect that. If Firefox is going to make you manually approve sites that you're going to allow XPI installs from, and *then* run a countdown in the warning dialog, they need to be at least as thorough about any other operation that takes you outside the sandbox.

Re:Caveat

[nacturation]

... and after you click "Yes" to the warning, you have granted the Java code permission to modify anything on your hard drive. So, the fact that it modifies IE is really incidental. It could just as easily modify Firefox, Mozilla, OpenOffice.org, Thunderbird, emacs, gcc, and any other application it wants to.

A better title for this article would have been "Every application vulnerable to attack due to bug in either Firefox and/or Sun's JRE".

Re:Caveat

[m50d]

The user has seen enough web dialogs to know that when you see one, you click yes. If you try to read them all you'll go mad, if you click no that cool game bob told you about doesn't work. So you click yes on everything.

Re:Not a browser issue and not a Java issue

[JohnnyCannuk]

No this is not really a Java issue either. This is a social engineering issue.

The JRE pops up it's "Warning" dialog, like its supposed to . It displays to the user that it cannot verify who signed this, that the cert is out of date etc, like its supposed to . It displays a warning reccomending that you NOT say yes and install the applet, like its supposed to . So when you ignore all of that and say yes, you deserve to get infected. I mean, what do you want, another dialog asking "Are you sure?".

I mean 3 big yellow exclaimation marks? I've never seen that even in the most unstable of development environments.

Oh and BTW, if you say yes to a Java applet in this instance, it runs as a local application without a security manager. This is not a 'hole' it is what it is supposed to do. When you say yes, that's what you're saying 'yes' to.

Now if people were taught not to do that the same way their are taught not to run arbitrary files sent to them via e-mail, this wouldn't be a problem. (That's sarcasm BTW)

In the end, the problem is the goof behind the keyboard that is willing to say 'Yes' to run applications they don't know about and that the JRE itself warns them at least 3 times in 3 ways not to run.

How do you defend against that?

Re:Same old story

[jdhutchins]

I'd say it really has very little to do with Java, it's nothing more than ActiveX controls do in IE all the time. If a user clicks "yes" in a security warning dialog box, then the code can do whatever it wants. It's not a bug, it's working how it's designed. The "bug" that they claim is that the computer will let a user do something dumb.

Re:Caveat

Since you asked...

Create a dialog box with all the warnings. Give it an OK and a Cancel button. Closing it or clicking Cancel always causes the applet not to run.

Give is a checkbox, that says "Allow this potentially dangerous applet to run without security restrictions." Leave it unchecked.

Clicking OK while it's unchecked also causes the applet not to run.

Now the user can't accidently click yes, as two clicks are needed to unlock the applet. You can't accidently make the user install the applet by typing "Y" when the dialog suddenly pops up.

That's how all these "do something insecure" dialogs should be. I should have to explicitly check off "OK" and then hit the "Accept" button. That includes Firefox's XPI install system, which the site mentioned also tries to exploit.

Re:Bogus Headline

[LarsWestergren]

I thought Java Applets run in a sandbox and can't modify local files.

They can't, unless the user clicks "I allow this applet to modify files on my harddrive. Warning, this is unsafe, only do this with applets coming from a source you trust."

This isn't a java exploit anymore than a downloaded executable is an OS exploit.

Secure login

[grahamsz]

A nice intelligent choice with WinNT was the "Press Alt-Ctl-Delete" to login.

Since applications shouldn't be able to hijack that combination it adds additionaly security.

You can have a lot of fun with micking login boxes. Back when I was in uni we'd screw around with each others laptops. I got a terminal window on a friends machine and aliaed the su command to a perl script which would prompt for a password, send the password to my webserver, tell the user it was wrong, and then unalis the command so the next try would go to the real su.

Easy to do, but you'd have to be very on top of things to spot it.

this is pure fud

[taso]

Linux is vulnerable to the following exploit. If a user unwittingly gives the root password, his drive will be erased.

#!/bin/sh
echo Kindly give the root password at the next prompt
su -c rm -rf /

Social Engineering?

[OhHellWithIt]

The author brushes aside "the social engineering aspects of the install", but the screen shots don't show anything other than the standard dialog that is triggered when Java encounters an applet that seeks to use privileged methods. This is hardly social engineering!

It's been a long time since I worked with Java code, but I recall that once the user tells Java he "trusts" the code, (signed or unsigned), he opens himself up to a number of risks, including accessing the local filesystem and making network connections to hosts other than the host from which the applet was downloaded. This would, of course, include HTTP calls, probably using the installed default browser. I don't know about executing local programs.

So, while this may have been an exploitation of MSIE, the fact remains that it would never have occurred had the user not agreed to trust the applet. This is why it's important for developers and sites to sign their code, but more importantly, it shows the importance of embedding into end-users' brains: "Never, never, never click 'yes' when the application tells you the code is untrusted."

WTF?

[stinky+wizzleteats]

So you are telling me that someone found a way to get into a system with java, and - once there, found that it was actually more effective to try to break IE than the browser actually being used? Doesn't that sort of blow the popularity vs. intrinsic insecurity argument out of the water? I mean, the user is running firefox, right? The argument of what they are likely to use (and therefore be affected by) has pretty much been resolved at that point.

This sounds like a FUD factory somewhere is trying to come up with vulnerabilities against Firefox. Interesting that the best they can come up with so far is an exploit of IE. "Hey, wait, guys, we can make this one run with another browser! Let's run with that!"

The Giant DUH! Award

[rudy_wayne]

The Giant DUH! Award goes to VitalSecurity.org, quite possibly the dumbest security company ever.

At the end of his blog, the author says that the purpose of his article is NOT to point out the social-engineering aspects of this exploit, but to point out that "most spyware installs occur when someone clicks "yes" to something they shouldn't have."

DUH!!!! What a total maroon.

Let's review. The user is presented with a dialog box that warns them, 3 times, that this thing can't be trusted, but they click 'Yes' anyway.

This is not a Firefox exploit. It is not an IE or Java exploit. It is a USER STUPIDITY exploit.

Re:Well yeah

[AstroDrabb]

I agree. It wasn't a bad idea, but it _was_ poorly implemented. MS allows system hooks (I have programmed many for the company I work for) which can get past most of their start-up "security". MS should have really locked down the kernel and prevented anything from getting into the system when it starts up.

However, I do see the problem MS faced. If they made system hooks too restrictive, it would realy hurts third party programmers that needed a system service to start up without a user login. So, ofcourse MS picked the most lucrative path, instead of the most secure ; )

Re:This reminds me of Japanese Cars..

[dcam]

You can't fix a behavioural problem with a technological solution.

Not trying to nitpick, but this is incorrect. It comes out on slashdot on awful lot (particluarly in relation to spam). It is better said as: "You cannot fix every behavioural problem with a technological solution."

Using another car example, switching the car off while the lights are on makes the car beep. This, in my experience, has largely solved the problem of leaving the lights on and getting a flat battery.

I am not certain if this has had the same effect in the wider population, but it is an example of where a behavioural problem of mine has been fixed by technology.

Re:Well yeah

[Mordanthanus]

Oh pu-leaze.... If MS had made the system hooks restricted, programmers would have been climbing the walls over how MS locked everyone out of the OS and slashdotters doing the same "MS sucks and this is why *nix rules". Complain about one or the other, but MS got it right on this decision.

And just to keep on topic, I wish everyone would get off this "IE sucks" trip. IE is part of the OS now... this crap doesn't infect IE anymore, it infects Windows. Now, lets change all these little rants I see all over this post. User goes to a webpage. Firefox gets to a Java applet and passes control to the JRE. JRE asks 3 times if they want to continue, and the user clicks "Yes" (because that is what they have been trained to do) and Windows gets infected. This isn't a software exploit. This is a user (ie. idiot) exploit that was not anticipated by Sun. If Sun would change their warning dialog to make someone put a checkmark in a box to accept instead of just clicking "Yes", this wouldn't happen. But again, not Sun's fault, but something that could easily be fixed by them.