Slashdot Mirror
IE Vulnerable to Cross-Browser Spyware Attack
An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
IF you're running Java and you click 'Yes' to the security warning...
VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
Oh, well, it's no problem then. It's not like anybody uses THAT...
"IE vulnerable to new attack" - shouldn't we find some sort of shorthand for this, since it happens so often?
I have to imagine Slashdot's bandwidth saving would be enormous.
"So on one hand, honey is an amazingly sophisticated and efficient food source. On the other hand it's bee backwash."
Yeah, I'll get right on that Timothy. Removing IE is so easy on Windows.... Not like it's built into the OS or anything.
This guy is way out there
The spyware installs itself using Java. It's not browser-specific; you can infect IE using Mozilla, Opera, IE, etc.
There _is_ a dialog box, since the applet is unsigned. I tried signing it with my certificate; it installed itself without prompting. I believe it uses some sort of JRE exploit.
switching away from IE does not give adequate projection
What do I need to be able to project my fears of infection adequately?
The article title/summary focuses more on how IE is to blame rather than the real root of the problem, which appears to be Java. I realize this is Slashdot and its Microsoft, but come on.
It's important to identify that if this is not a browser thing, but a Sun JRE thing, any Java-enabled program that can come in contact with the installer applet could potentially infect your system.
Green's Law of Debate: Anything is possible if you don't know what you're talking about.
IE can already be infected by plugins and downloads from other browsers. My sister (whom I have confined to Firefox) likes to play those goddamn Neopets games, which require Shockwave. After installing it, the Yahoo! toolbar had managed to place itself into IE somehow, even when IE hadn't been used for months.
Guy asked me for a quarter for a cup of coffee. So I bit him.
from the if-you-must-run-windows-remove-ie dept.
f ault.aspx
Really? The microsoft website oftens blocks browsers other than IE from downloading updates and whatnot.
You CAN'T just remove IE. You need it. Just try to update office on firefox for example:
http://office.microsoft.com/en-us/officeupdate/de
1. You can't win
2. You can't break even
3. You can't get out of the game
4. No matter how hard you shake it, the last drop always rolls down your pant leg.
I'm not wrong. You haven't thought about it hard enough.
Sure they'll fix it ... by silently uninstalling Firefox using their next IE "this fixes numerous security flaws" super-updates.
By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer.... VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
So, the attack happens through Sun's JVM, affects IE, and consequently has nothing to do with Firefox, which was inserted into the article for maximum troll capability.
If an exploit asks you to run it, does it still count as a security exploit? It's not taking advantage of anything other than the users own stupidity/ignorance if they get infected by it. Similar to those email viruses you have to oepn the atached zip, enter the password and then run the exe to get infected by.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
I know there's been a fair share of MS-bashing already but I just can't resist... It's pretty funny that IE is so insecure that its security holes exist in other programs :)
No way, RTFA.
Firefox warns the hell out of you about allowing a signed, but unverifiable applet from installing itself. Look at the screenshot, there's three separate big warning images.
If the web browser lets you download and install software, even if it warns you that doing so might be dangerous, the author contends this is a bug. That's silly. That's the *point* of a web browser. To download content from the internet.
It doesn't "escape" the sandbox... the user explicitly grants it permission to play outside of the sandbox.
Java is behaving in exactly the manner it's designed and advertised to act.
the installer escapes Java's sandbox
No. The user unlocks and opens the door, THEN the exploit escapes.
All the systems are working as designed. It is the user who opens the door.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
This has nothing to do with Firefox or the JRE, nor IE. The JRE's security manager properly issues are warning that the user is about to run arbitrary code. It's like an email worm. The user's interaction and ignorance is need to spread the thing.
Though rather than just asking, "Do you want to trust this applet", they should be a bit more explicit, "Trusting this applet will give it unrestricted access to your machine, and can install or change files, and access other computers through the network."
"Monday".
There are two types of Java applets: signed and unsigned. Unsigned applets run in a sandbox inside your Web browser. A Java exploit would be an unsigned applet that could "get out" and do something malicious. This doesn't seem to be an unsigned applet.
Signed applets don't run inside a sandbox. A signed applet can do anything that any other executable program can do; including formatting your disk or installing spyware. They are not any safer than programs written in C or assembly language.
--Steve
Ironic that Java, famous for its sandbox, seems to be the door through which this intruder enters.
I keep wondering if it wouldn't be better to have something like VMWare a standard part of a consumer OS. You would intantiate a VMWare-type virtual machine, preloaded with your Web browser, email client, etc., for all external communications. You would leave your "real machine" with no Net connection, but use it for other tasks that didn't need a live Net connection. Attacks from the outside would have no way to damage anything other than a virtual machine. If it got screwed up or infected, even by your kids playing with it and saying "Yes" to download offers, you'd just delete it and instantiate a new one.
You'd be able to reach from the real machine into one of the VMs and retrieve a file that you were satisfied was safe, but there would be no way for a VM to export (VMWare is like this). There would be occasions when fetching an infected file would infect your real machine, but the overall incidence of external damage should be significantly reduced by this approach and recovery from screwups would be quick and easy (at a cost of performance for activities done from a VM).
It's just a thought, but it seems as though this would just be an extension of the Unix notion of having root power but doing most of your work from a non-root account just to be safe.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
As other people have noted, you still have to say "yes, bone me". But people don't expect a Java applet (since it's normally firewalled) to be dangerous, so they're more likely to say "yes".
If allowing an unrestricted Java applet to run is just as dangerous as installing and running an application, then the dialog box should reflect that. If Firefox is going to make you manually approve sites that you're going to allow XPI installs from, and *then* run a countdown in the warning dialog, they need to be at least as thorough about any other operation that takes you outside the sandbox.
No this is not really a Java issue either. This is a social engineering issue.
The JRE pops up it's "Warning" dialog, like its supposed to . It displays to the user that it cannot verify who signed this, that the cert is out of date etc, like its supposed to . It displays a warning reccomending that you NOT say yes and install the applet, like its supposed to . So when you ignore all of that and say yes, you deserve to get infected. I mean, what do you want, another dialog asking "Are you sure?".
I mean 3 big yellow exclaimation marks? I've never seen that even in the most unstable of development environments.
Oh and BTW, if you say yes to a Java applet in this instance, it runs as a local application without a security manager. This is not a 'hole' it is what it is supposed to do. When you say yes, that's what you're saying 'yes' to.
Now if people were taught not to do that the same way their are taught not to run arbitrary files sent to them via e-mail, this wouldn't be a problem. (That's sarcasm BTW)
In the end, the problem is the goof behind the keyboard that is willing to say 'Yes' to run applications they don't know about and that the JRE itself warns them at least 3 times in 3 ways not to run.
How do you defend against that?
Never by hatred has hatred been appeased, only by kindness - the Buddha
Konqueror asks permission for every single file an applet modifies. Although a good idea, in practice this is so annoying I had to turn it off.
I am trolling
No the prompt was from the JRE indicating that the applet that was being downloaded was asking for special privileges, beyond that of the sand box (see the picture in the middle of the Vital Security article). 3 excalimation marks, big and yellow, telling the user that it couldn't verify the authenticity of the applet, that the cert used to sign it had expired and then warned the user specifically to NOT say yes.
The idiot said yes anyway.
Now, if this happened without those warning, then there would be an issue. But that is not the case. The JRE functioned as it was designed to - to allow for extra privileges to be granted to an applet under certain circumstances and to vigorously warn the user and present them with information before hand. It was the user that ignored the warning, not the JRE.
Note to self: never get advice from "Vital Security" about security because anyone that would ignore that kind of warning from a site they did not know is definitely NOT a security professional
Never by hatred has hatred been appeased, only by kindness - the Buddha
How do you defend against that?
Clearly, all software should only be installable from floppy disks, and not from over the Internet. That way, script kiddies would have to send people their exploits by snail mail, with a note attached that reads:
Still, I'm sure there'd be a few who did...
I had an interesting idea the other day regarding this; what about "user-moderated" signings; the browser/JRE/active-x could query a server, with something like "applet GUID xxxx-xxxx-xxxx-xxxx, what's the current status?", and the server would return a hard (good/bad) or soft (percentages) ranking. Users could report if a given applet is bad, and leave comments. Those reports would also be moderated, of course, to prevent people from writing false reports.
The downside, of course, is that there would have to be some sort of master server for storing/relaying this information... and that'd be quite a task.
The whole "signed"/"unsigned" model is semi-broken, at least to the non-geeky. They have no idea what that means. I also think the dialogs should be severely re-designed and re-worded..
Not All Who Wander Are Lost
A nice intelligent choice with WinNT was the "Press Alt-Ctl-Delete" to login.
Since applications shouldn't be able to hijack that combination it adds additionaly security.
You can have a lot of fun with micking login boxes. Back when I was in uni we'd screw around with each others laptops. I got a terminal window on a friends machine and aliaed the su command to a perl script which would prompt for a password, send the password to my webserver, tell the user it was wrong, and then unalis the command so the next try would go to the real su.
Easy to do, but you'd have to be very on top of things to spot it.
The Giant DUH! Award goes to VitalSecurity.org, quite possibly the dumbest security company ever.
At the end of his blog, the author says that the purpose of his article is NOT to point out the social-engineering aspects of this exploit, but to point out that "most spyware installs occur when someone clicks "yes" to something they shouldn't have."
DUH!!!! What a total maroon.
Let's review. The user is presented with a dialog box that warns them, 3 times, that this thing can't be trusted, but they click 'Yes' anyway.
This is not a Firefox exploit. It is not an IE or Java exploit. It is a USER STUPIDITY exploit.
Never been to Tennessee have you?
Most (all?) Japanese cars have a "feature" that the door won't lock unless you're holding the handle up (open, whatever.)
I heard that this was a measure to prevent people from locking their keys in their car. The Japanese car manufacturers decided that if people have to lock the door, then hold the handle in the open position as they close the door, it will prevent them from accidentally locking their keys in the car.
Sounds nice in theory... until the day I locked the keys in my Civic. It was then that I noticed that because I couldn't lock the car door without holding up the handle, that I had gotten into the habit of *always* holding up the handle while closing the door, even when I didn't want to lock it.
I've known a lot of people who have locked their keys in their Japanese car, they told me the same thing.
So, instead of being a mechanism to prevent people from accidentally locking their keys in their car, it was instead a mechanism to train people to hold their door handle up when closing the car door.
You can't fix a behavioural problem with a technological solution.
Best. Webhost. Ever. Dreamhost.