Slashdot Mirror
IE Vulnerable to Cross-Browser Spyware Attack
An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
IF you're running Java and you click 'Yes' to the security warning...
VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
Oh, well, it's no problem then. It's not like anybody uses THAT...
It will be interesting to see if there is the usual 24 hour turnaround on a fix for this from the Mozilla Foundation. Lord knows Microsoft probably won't lift a finger to fix it.
FoundNews.com - get paid to blog.,
"IE vulnerable to new attack" - shouldn't we find some sort of shorthand for this, since it happens so often?
I have to imagine Slashdot's bandwidth saving would be enormous.
"So on one hand, honey is an amazingly sophisticated and efficient food source. On the other hand it's bee backwash."
Yeah, I'll get right on that Timothy. Removing IE is so easy on Windows.... Not like it's built into the OS or anything.
This guy is way out there
The spyware installs itself using Java. It's not browser-specific; you can infect IE using Mozilla, Opera, IE, etc.
There _is_ a dialog box, since the applet is unsigned. I tried signing it with my certificate; it installed itself without prompting. I believe it uses some sort of JRE exploit.
switching away from IE does not give adequate projection
What do I need to be able to project my fears of infection adequately?
The article title/summary focuses more on how IE is to blame rather than the real root of the problem, which appears to be Java. I realize this is Slashdot and its Microsoft, but come on.
It's important to identify that if this is not a browser thing, but a Sun JRE thing, any Java-enabled program that can come in contact with the installer applet could potentially infect your system.
Green's Law of Debate: Anything is possible if you don't know what you're talking about.
IE can already be infected by plugins and downloads from other browsers. My sister (whom I have confined to Firefox) likes to play those goddamn Neopets games, which require Shockwave. After installing it, the Yahoo! toolbar had managed to place itself into IE somehow, even when IE hadn't been used for months.
Guy asked me for a quarter for a cup of coffee. So I bit him.
from the if-you-must-run-windows-remove-ie dept.
f ault.aspx
Really? The microsoft website oftens blocks browsers other than IE from downloading updates and whatnot.
You CAN'T just remove IE. You need it. Just try to update office on firefox for example:
http://office.microsoft.com/en-us/officeupdate/de
1. You can't win
2. You can't break even
3. You can't get out of the game
4. No matter how hard you shake it, the last drop always rolls down your pant leg.
I'm not wrong. You haven't thought about it hard enough.
That's the point isn't it, though. Crappy software is installed.. spyware comes as an infection. When will we acknowledge that these spyware writers are writing viruses which infect and damage people's systems through backdoor hacking techniques?
Why are the authors not prosecuted?
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer.... VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
So, the attack happens through Sun's JVM, affects IE, and consequently has nothing to do with Firefox, which was inserted into the article for maximum troll capability.
If an exploit asks you to run it, does it still count as a security exploit? It's not taking advantage of anything other than the users own stupidity/ignorance if they get infected by it. Similar to those email viruses you have to oepn the atached zip, enter the password and then run the exe to get infected by.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
To me this sounds like a Java exploit and not something you can pin on either IE, Firefox or any other browser. It would be pretty lame to demand that Firefox should protect IE from a Java exploit, yes?
HTTP/1.1 400
I know there's been a fair share of MS-bashing already but I just can't resist... It's pretty funny that IE is so insecure that its security holes exist in other programs :)
No way, RTFA.
Firefox warns the hell out of you about allowing a signed, but unverifiable applet from installing itself. Look at the screenshot, there's three separate big warning images.
If the web browser lets you download and install software, even if it warns you that doing so might be dangerous, the author contends this is a bug. That's silly. That's the *point* of a web browser. To download content from the internet.
When I tried to open the page he shows as the source of infection, my TrendMicro Antivirus Software automaticaly detected it and trashed it.
What scares me most, is that FF didn't ask to download the file, it just downloaded the JAR into the cache folder.
mazevedo
It doesn't "escape" the sandbox... the user explicitly grants it permission to play outside of the sandbox.
Java is behaving in exactly the manner it's designed and advertised to act.
the installer escapes Java's sandbox
No. The user unlocks and opens the door, THEN the exploit escapes.
All the systems are working as designed. It is the user who opens the door.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Alternatively, there's the more generic ESF - (E)xploitable (S)ecurity (F)arce. This is the exact inverse of ESP, in that it is something that should have been predicted but wasn't, rather than the other way round.
For bugs from the (usual) Corporate culprits - Microsoft, Sun and IBM, I suggest that these be called ISMs.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
This has nothing to do with Firefox or the JRE, nor IE. The JRE's security manager properly issues are warning that the user is about to run arbitrary code. It's like an email worm. The user's interaction and ignorance is need to spread the thing.
"Monday".
This is infecting the machine using a signed applet. Hello? I can do anything I want to your pc if you allow a signed applet to run. This not news. I can install a trojan, key logger, back door, whatever. Infecting IE is the least of someones problems if they allow signed applets from untrusted sources to run.
There are two types of Java applets: signed and unsigned. Unsigned applets run in a sandbox inside your Web browser. A Java exploit would be an unsigned applet that could "get out" and do something malicious. This doesn't seem to be an unsigned applet.
Signed applets don't run inside a sandbox. A signed applet can do anything that any other executable program can do; including formatting your disk or installing spyware. They are not any safer than programs written in C or assembly language.
--Steve
BUG REPORT:
When I visit a web page and it prompts me to install something, a little hobgoblin pops out of my computer and whacks me on the head with a mallet when I click yes.
After this happens, my computer slows down and I get lots of popups. I think the hobgoblin has infected me with a virus. Please disable the hobgoblin so I can install things from websites easier. And stop it from infecting me with viruses! Can't you guys program a computer right?
Ironic that Java, famous for its sandbox, seems to be the door through which this intruder enters.
I keep wondering if it wouldn't be better to have something like VMWare a standard part of a consumer OS. You would intantiate a VMWare-type virtual machine, preloaded with your Web browser, email client, etc., for all external communications. You would leave your "real machine" with no Net connection, but use it for other tasks that didn't need a live Net connection. Attacks from the outside would have no way to damage anything other than a virtual machine. If it got screwed up or infected, even by your kids playing with it and saying "Yes" to download offers, you'd just delete it and instantiate a new one.
You'd be able to reach from the real machine into one of the VMs and retrieve a file that you were satisfied was safe, but there would be no way for a VM to export (VMWare is like this). There would be occasions when fetching an infected file would infect your real machine, but the overall incidence of external damage should be significantly reduced by this approach and recovery from screwups would be quick and easy (at a cost of performance for activities done from a VM).
It's just a thought, but it seems as though this would just be an extension of the Unix notion of having root power but doing most of your work from a non-root account just to be safe.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
As other people have noted, you still have to say "yes, bone me". But people don't expect a Java applet (since it's normally firewalled) to be dangerous, so they're more likely to say "yes".
If allowing an unrestricted Java applet to run is just as dangerous as installing and running an application, then the dialog box should reflect that. If Firefox is going to make you manually approve sites that you're going to allow XPI installs from, and *then* run a countdown in the warning dialog, they need to be at least as thorough about any other operation that takes you outside the sandbox.
No this is not really a Java issue either. This is a social engineering issue.
The JRE pops up it's "Warning" dialog, like its supposed to . It displays to the user that it cannot verify who signed this, that the cert is out of date etc, like its supposed to . It displays a warning reccomending that you NOT say yes and install the applet, like its supposed to . So when you ignore all of that and say yes, you deserve to get infected. I mean, what do you want, another dialog asking "Are you sure?".
I mean 3 big yellow exclaimation marks? I've never seen that even in the most unstable of development environments.
Oh and BTW, if you say yes to a Java applet in this instance, it runs as a local application without a security manager. This is not a 'hole' it is what it is supposed to do. When you say yes, that's what you're saying 'yes' to.
Now if people were taught not to do that the same way their are taught not to run arbitrary files sent to them via e-mail, this wouldn't be a problem. (That's sarcasm BTW)
In the end, the problem is the goof behind the keyboard that is willing to say 'Yes' to run applications they don't know about and that the JRE itself warns them at least 3 times in 3 ways not to run.
How do you defend against that?
Never by hatred has hatred been appeased, only by kindness - the Buddha
You missed the part where IE opened on its own. Unless you have REMOVED IE from your system (good luck) or never had it in the first place (ya, ya, Mac and Linux and BSD are great) then you care about this.
No the prompt was from the JRE indicating that the applet that was being downloaded was asking for special privileges, beyond that of the sand box (see the picture in the middle of the Vital Security article). 3 excalimation marks, big and yellow, telling the user that it couldn't verify the authenticity of the applet, that the cert used to sign it had expired and then warned the user specifically to NOT say yes.
The idiot said yes anyway.
Now, if this happened without those warning, then there would be an issue. But that is not the case. The JRE functioned as it was designed to - to allow for extra privileges to be granted to an applet under certain circumstances and to vigorously warn the user and present them with information before hand. It was the user that ignored the warning, not the JRE.
Note to self: never get advice from "Vital Security" about security because anyone that would ignore that kind of warning from a site they did not know is definitely NOT a security professional
Never by hatred has hatred been appeased, only by kindness - the Buddha
How do you defend against that?
Clearly, all software should only be installable from floppy disks, and not from over the Internet. That way, script kiddies would have to send people their exploits by snail mail, with a note attached that reads:
Still, I'm sure there'd be a few who did...
A nice intelligent choice with WinNT was the "Press Alt-Ctl-Delete" to login.
Since applications shouldn't be able to hijack that combination it adds additionaly security.
You can have a lot of fun with micking login boxes. Back when I was in uni we'd screw around with each others laptops. I got a terminal window on a friends machine and aliaed the su command to a perl script which would prompt for a password, send the password to my webserver, tell the user it was wrong, and then unalis the command so the next try would go to the real su.
Easy to do, but you'd have to be very on top of things to spot it.
It's been a long time since I worked with Java code, but I recall that once the user tells Java he "trusts" the code, (signed or unsigned), he opens himself up to a number of risks, including accessing the local filesystem and making network connections to hosts other than the host from which the applet was downloaded. This would, of course, include HTTP calls, probably using the installed default browser. I don't know about executing local programs.
So, while this may have been an exploitation of MSIE, the fact remains that it would never have occurred had the user not agreed to trust the applet. This is why it's important for developers and sites to sign their code, but more importantly, it shows the importance of embedding into end-users' brains: "Never, never, never click 'yes' when the application tells you the code is untrusted."
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
So you are telling me that someone found a way to get into a system with java, and - once there, found that it was actually more effective to try to break IE than the browser actually being used? Doesn't that sort of blow the popularity vs. intrinsic insecurity argument out of the water? I mean, the user is running firefox, right? The argument of what they are likely to use (and therefore be affected by) has pretty much been resolved at that point.
This sounds like a FUD factory somewhere is trying to come up with vulnerabilities against Firefox. Interesting that the best they can come up with so far is an exploit of IE. "Hey, wait, guys, we can make this one run with another browser! Let's run with that!"
The Giant DUH! Award goes to VitalSecurity.org, quite possibly the dumbest security company ever.
At the end of his blog, the author says that the purpose of his article is NOT to point out the social-engineering aspects of this exploit, but to point out that "most spyware installs occur when someone clicks "yes" to something they shouldn't have."
DUH!!!! What a total maroon.
Let's review. The user is presented with a dialog box that warns them, 3 times, that this thing can't be trusted, but they click 'Yes' anyway.
This is not a Firefox exploit. It is not an IE or Java exploit. It is a USER STUPIDITY exploit.
Never been to Tennessee have you?
Most (all?) Japanese cars have a "feature" that the door won't lock unless you're holding the handle up (open, whatever.)
I heard that this was a measure to prevent people from locking their keys in their car. The Japanese car manufacturers decided that if people have to lock the door, then hold the handle in the open position as they close the door, it will prevent them from accidentally locking their keys in the car.
Sounds nice in theory... until the day I locked the keys in my Civic. It was then that I noticed that because I couldn't lock the car door without holding up the handle, that I had gotten into the habit of *always* holding up the handle while closing the door, even when I didn't want to lock it.
I've known a lot of people who have locked their keys in their Japanese car, they told me the same thing.
So, instead of being a mechanism to prevent people from accidentally locking their keys in their car, it was instead a mechanism to train people to hold their door handle up when closing the car door.
You can't fix a behavioural problem with a technological solution.
Best. Webhost. Ever. Dreamhost.
When I visited http://www.lyricspy.com/ (this site listed as being the origin in the VitalSecurity story) I immediately receive a pop-up warning from McAfee 8.0 that the file "javainstaller.jar" is a Trojan, and an "exploit". The installer window never appears at all.
Additionally, Firefox automatically blocks the installation with its pop-up blocker, so it appears that, with my settings (which are not terribly restrictive), I have a double layer of security preventing me from even getting to the point of clicking "yes" to the installer.
Not too big a deal, this, but it is good to know that following basic security procedures like keeping virus definitions up to date and using the pop-up blocker correctly can make it a lot easier to avoid the kind of crap this story deals with. I do realize, however, that a great many people do not follow these guidelines, and that that is the point of the story.
But I would like to point out that it seems that I am not quite as vulnerable as this story makes it appear that I will be (when running Windows). And, of course, if I flip over to my Fedora Core 3 partition, this problem goes away entirely.
And yes, I am using the Sun Java Runtime.
B
"We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
However, I do see the problem MS faced. If they made system hooks too restrictive, it would realy hurts third party programmers that needed a system service to start up without a user login. So, ofcourse MS picked the most lucrative path, instead of the most secure ; )
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
Oh pu-leaze.... If MS had made the system hooks restricted, programmers would have been climbing the walls over how MS locked everyone out of the OS and slashdotters doing the same "MS sucks and this is why *nix rules". Complain about one or the other, but MS got it right on this decision.
And just to keep on topic, I wish everyone would get off this "IE sucks" trip. IE is part of the OS now... this crap doesn't infect IE anymore, it infects Windows. Now, lets change all these little rants I see all over this post. User goes to a webpage. Firefox gets to a Java applet and passes control to the JRE. JRE asks 3 times if they want to continue, and the user clicks "Yes" (because that is what they have been trained to do) and Windows gets infected. This isn't a software exploit. This is a user (ie. idiot) exploit that was not anticipated by Sun. If Sun would change their warning dialog to make someone put a checkmark in a box to accept instead of just clicking "Yes", this wouldn't happen. But again, not Sun's fault, but something that could easily be fixed by them.
User logging on... 300 baud... 300 BAUD?!? (Click!) NO CARRIER