Slashdot Mirror
IE Vulnerable to Cross-Browser Spyware Attack
An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
The article title/summary focuses more on how IE is to blame rather than the real root of the problem, which appears to be Java. I realize this is Slashdot and its Microsoft, but come on.
from the if-you-must-run-windows-remove-ie dept.
f ault.aspx
Really? The microsoft website oftens blocks browsers other than IE from downloading updates and whatnot.
You CAN'T just remove IE. You need it. Just try to update office on firefox for example:
http://office.microsoft.com/en-us/officeupdate/de
It's important to identify that this is not a Sun JRE thing, but a user error thing!
Any time a website asks you to trust them to install something on your computer, you should probably say no. If you say yes, you are going to get owned 99% of the time.
Actually, the title of tfa should be "Firefox vulnerability could provide access to IE". The problem is Firefox or Java, not IE.
If an exploit asks you to run it, does it still count as a security exploit? It's not taking advantage of anything other than the users own stupidity/ignorance if they get infected by it. Similar to those email viruses you have to oepn the atached zip, enter the password and then run the exe to get infected by.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
... and unfortunately, the system default is to have Java enabled, and the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.
Beware: In C++, your friends can see your privates!
No way, RTFA.
Firefox warns the hell out of you about allowing a signed, but unverifiable applet from installing itself. Look at the screenshot, there's three separate big warning images.
If the web browser lets you download and install software, even if it warns you that doing so might be dangerous, the author contends this is a bug. That's silly. That's the *point* of a web browser. To download content from the internet.
The security warning explicitly states, "The security certificate was issued by a company that is not trusted".
I mean, what do people expect? A little hobgoblin to pop out of their computer and whack them in the head with a mallet if they try to click 'yes'?
It's simple: I demand prosecution for torture.
Though rather than just asking, "Do you want to trust this applet", they should be a bit more explicit, "Trusting this applet will give it unrestricted access to your machine, and can install or change files, and access other computers through the network."
the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.
That's true, and is why I don't believe that any OS or browser is going to save us from malware. Until the average user learns safe computing practices, they're going to continue installing stuff they later wish they hadn't; in time even if they do stop running as admin, they'll get used to typing in their admin (or root) username and password.
It's official. Most of you are morons.
As other people have noted, you still have to say "yes, bone me". But people don't expect a Java applet (since it's normally firewalled) to be dangerous, so they're more likely to say "yes".
If allowing an unrestricted Java applet to run is just as dangerous as installing and running an application, then the dialog box should reflect that. If Firefox is going to make you manually approve sites that you're going to allow XPI installs from, and *then* run a countdown in the warning dialog, they need to be at least as thorough about any other operation that takes you outside the sandbox.
... and after you click "Yes" to the warning, you have granted the Java code permission to modify anything on your hard drive. So, the fact that it modifies IE is really incidental. It could just as easily modify Firefox, Mozilla, OpenOffice.org, Thunderbird, emacs, gcc, and any other application it wants to.
A better title for this article would have been "Every application vulnerable to attack due to bug in either Firefox and/or Sun's JRE".
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
The user has seen enough web dialogs to know that when you see one, you click yes. If you try to read them all you'll go mad, if you click no that cool game bob told you about doesn't work. So you click yes on everything.
I am trolling
No this is not really a Java issue either. This is a social engineering issue.
The JRE pops up it's "Warning" dialog, like its supposed to . It displays to the user that it cannot verify who signed this, that the cert is out of date etc, like its supposed to . It displays a warning reccomending that you NOT say yes and install the applet, like its supposed to . So when you ignore all of that and say yes, you deserve to get infected. I mean, what do you want, another dialog asking "Are you sure?".
I mean 3 big yellow exclaimation marks? I've never seen that even in the most unstable of development environments.
Oh and BTW, if you say yes to a Java applet in this instance, it runs as a local application without a security manager. This is not a 'hole' it is what it is supposed to do. When you say yes, that's what you're saying 'yes' to.
Now if people were taught not to do that the same way their are taught not to run arbitrary files sent to them via e-mail, this wouldn't be a problem. (That's sarcasm BTW)
In the end, the problem is the goof behind the keyboard that is willing to say 'Yes' to run applications they don't know about and that the JRE itself warns them at least 3 times in 3 ways not to run.
How do you defend against that?
Never by hatred has hatred been appeased, only by kindness - the Buddha
Since you asked...
Create a dialog box with all the warnings. Give it an OK and a Cancel button. Closing it or clicking Cancel always causes the applet not to run.
Give is a checkbox, that says "Allow this potentially dangerous applet to run without security restrictions." Leave it unchecked.
Clicking OK while it's unchecked also causes the applet not to run.
Now the user can't accidently click yes, as two clicks are needed to unlock the applet. You can't accidently make the user install the applet by typing "Y" when the dialog suddenly pops up.
That's how all these "do something insecure" dialogs should be. I should have to explicitly check off "OK" and then hit the "Accept" button. That includes Firefox's XPI install system, which the site mentioned also tries to exploit.
I thought Java Applets run in a sandbox and can't modify local files.
They can't, unless the user clicks "I allow this applet to modify files on my harddrive. Warning, this is unsafe, only do this with applets coming from a source you trust."
This isn't a java exploit anymore than a downloaded executable is an OS exploit.
Being bitter is drinking poison and hoping someone else will die
I had an interesting idea the other day regarding this; what about "user-moderated" signings; the browser/JRE/active-x could query a server, with something like "applet GUID xxxx-xxxx-xxxx-xxxx, what's the current status?", and the server would return a hard (good/bad) or soft (percentages) ranking. Users could report if a given applet is bad, and leave comments. Those reports would also be moderated, of course, to prevent people from writing false reports.
The downside, of course, is that there would have to be some sort of master server for storing/relaying this information... and that'd be quite a task.
The whole "signed"/"unsigned" model is semi-broken, at least to the non-geeky. They have no idea what that means. I also think the dialogs should be severely re-designed and re-worded..
Not All Who Wander Are Lost
A nice intelligent choice with WinNT was the "Press Alt-Ctl-Delete" to login.
Since applications shouldn't be able to hijack that combination it adds additionaly security.
You can have a lot of fun with micking login boxes. Back when I was in uni we'd screw around with each others laptops. I got a terminal window on a friends machine and aliaed the su command to a perl script which would prompt for a password, send the password to my webserver, tell the user it was wrong, and then unalis the command so the next try would go to the real su.
Easy to do, but you'd have to be very on top of things to spot it.
The Giant DUH! Award goes to VitalSecurity.org, quite possibly the dumbest security company ever.
At the end of his blog, the author says that the purpose of his article is NOT to point out the social-engineering aspects of this exploit, but to point out that "most spyware installs occur when someone clicks "yes" to something they shouldn't have."
DUH!!!! What a total maroon.
Let's review. The user is presented with a dialog box that warns them, 3 times, that this thing can't be trusted, but they click 'Yes' anyway.
This is not a Firefox exploit. It is not an IE or Java exploit. It is a USER STUPIDITY exploit.