IE Vulnerable to Cross-Browser Spyware Attack

← Back to Stories (view on slashdot.org)

IE Vulnerable to Cross-Browser Spyware Attack

Posted by timothy on Monday March 14, 2005 @07:44AM from the if-you-must-run-windows-remove-ie dept.

An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

35 of 619 comments (clear)

Caveat by Kimos · 2005-03-14 07:46 · Score: 5, Informative

IF you're running Java and you click 'Yes' to the security warning...
1. Re:Caveat by Jugalator · 2005-03-14 07:59 · Score: 5, Insightful
  
  ... and unfortunately, the system default is to have Java enabled, and the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.
  
  --
  Beware: In C++, your friends can see your privates!
2. Re:Caveat by Tim+C · 2005-03-14 08:19 · Score: 5, Insightful
  
  the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.
  
  That's true, and is why I don't believe that any OS or browser is going to save us from malware. Until the average user learns safe computing practices, they're going to continue installing stuff they later wish they hadn't; in time even if they do stop running as admin, they'll get used to typing in their admin (or root) username and password.
  
  --
  It's official. Most of you are morons.
3. Re:Caveat by nacturation · 2005-03-14 08:23 · Score: 5, Insightful
  
  ... and after you click "Yes" to the warning, you have granted the Java code permission to modify anything on your hard drive. So, the fact that it modifies IE is really incidental. It could just as easily modify Firefox, Mozilla, OpenOffice.org, Thunderbird, emacs, gcc, and any other application it wants to.
  
  A better title for this article would have been "Every application vulnerable to attack due to bug in either Firefox and/or Sun's JRE".
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
4. Re:Caveat by m50d · 2005-03-14 08:23 · Score: 5, Insightful
  
  The user has seen enough web dialogs to know that when you see one, you click yes. If you try to read them all you'll go mad, if you click no that cool game bob told you about doesn't work. So you click yes on everything.
  
  --
  I am trolling
5. Re:Caveat by rreyelts · 2005-03-14 08:26 · Score: 5, Funny
  
  Funny that. The dialog box has three (count them - 1, 2, 3) exclamation icons, has a title that says "Warning - Security", explicitly states that the certificate is invalid and issued by an untrusted company, and has "No" as the default selected button. What more can be asked of Sun?
  
  I suggest that Java make loud, obnoxious noises and shout Monty Python quotes at the user at an intolerable volume if he perchances to select "Yes", against all warnings.
  
  Exploit, my ass.
6. Re:Caveat by Auckerman · 2005-03-14 08:28 · Score: 5, Funny
  
  ""The security certificate was issued by a company that is not trusted."
  
  While that read likes perfect valid english to me, knowing things that are irrelevant to my daily life and all, most people would NEVER understand that statement.
  
  A clearer statement like "It is probable that a VIRUS is trying to install on your computer, do you want to STOP this VIRUS from installing" with a "yes" and "no" for the check box with "yes" the default.
  
  --
  
  Burn Hollywood Burn
7. Re:Caveat by lazlo · 2005-03-14 08:37 · Score: 5, Funny
  
  Absolutely. Replace your force-feedback mouse with the new force-bitchslap mouse.
  
  WHAP! No clicky!
  
  --
  Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
8. Re:Caveat by Anonymous Coward · 2005-03-14 08:45 · Score: 5, Insightful
  
  Since you asked...
  
  Create a dialog box with all the warnings. Give it an OK and a Cancel button. Closing it or clicking Cancel always causes the applet not to run.
  
  Give is a checkbox, that says "Allow this potentially dangerous applet to run without security restrictions." Leave it unchecked.
  
  Clicking OK while it's unchecked also causes the applet not to run.
  
  Now the user can't accidently click yes, as two clicks are needed to unlock the applet. You can't accidently make the user install the applet by typing "Y" when the dialog suddenly pops up.
  
  That's how all these "do something insecure" dialogs should be. I should have to explicitly check off "OK" and then hit the "Accept" button. That includes Firefox's XPI install system, which the site mentioned also tries to exploit.
9. Re:Caveat by Deathlizard · 2005-03-14 09:05 · Score: 5, Informative
  
  what makes this even more scary is that it isn't technicially a bug.
  
  There is nothing stopping the spyware company from getting a valid signature and packaging it. It happens all the time in IE. In fact, most of the spyware installers out there for IE are digitally signed.
  
  Using Java, they could easily socially engineer you to download and trust this thing, use Java to find out what OS your running, download spyware/rootkits/etc for your particular PC OS and own your box totally independant of IE.
  
  A lot of the reason why Firefox is so safe is because it doesn't support ActiveX and prompt you all day to install the legacy scumware stuff. If it did support ActiveX in any way it would be prompting you just like IE would, People would click on yes just like they do in IE, and people would get owned just like they do with IE. Since it supports Java, however, they will just gamble that you have Java and get you to do the same thing they were doing in ActiveX, only with Java instead.
  
  The Spyware writers know that 99% of computer users dont know what they are doing and they exploit that, Pure and simple, And there's nothing that Bill Gates, Linus Torvalds, or Steve Jobs is going to do about that. This is what Kevin Mitnick has been preaching for some time now, that social Engenering is the hackers favorite tool, and until anyone who writes internet enabled code understand that, there's going to be a really big security problem in the future.
  
  --
  In Soviet Russia, Trojan exploits YOU!
10. Re:Caveat by RetroGeek · 2005-03-14 09:17 · Score: 5, Interesting
  
  I always make the user type "VERIFY" into an entry field for any potentially disasterous action.
  
  Hard for them to say they didn't see it.
  
  --
  
  - - - - - - - - - - -
  I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Same old story by Zone5 · 2005-03-14 07:47 · Score: 5, Funny

"IE vulnerable to new attack" - shouldn't we find some sort of shorthand for this, since it happens so often?

I have to imagine Slashdot's bandwidth saving would be enormous.

--
"So on one hand, honey is an amazingly sophisticated and efficient food source. On the other hand it's bee backwash."
Remove IE..... by LittleLebowskiUrbanA · 2005-03-14 07:47 · Score: 5, Funny

Yeah, I'll get right on that Timothy. Removing IE is so easy on Windows.... Not like it's built into the OS or anything.

--
This guy is way out there
Bogus Headline by karmatic · 2005-03-14 07:47 · Score: 5, Informative

The spyware installs itself using Java. It's not browser-specific; you can infect IE using Mozilla, Opera, IE, etc.

There _is_ a dialog box, since the applet is unsigned. I tried signing it with my certificate; it installed itself without prompting. I believe it uses some sort of JRE exploit.
1. Re:Bogus Headline by LarsWestergren · 2005-03-14 08:48 · Score: 5, Insightful
  
  I thought Java Applets run in a sandbox and can't modify local files.
  
  They can't, unless the user clicks "I allow this applet to modify files on my harddrive. Warning, this is unsafe, only do this with applets coming from a source you trust."
  
  This isn't a java exploit anymore than a downloaded executable is an OS exploit.
  
  --
  Being bitter is drinking poison and hoping someone else will die
Misleading title by kevin_conaway · 2005-03-14 07:48 · Score: 5, Insightful

The article title/summary focuses more on how IE is to blame rather than the real root of the problem, which appears to be Java. I realize this is Slashdot and its Microsoft, but come on.
1. Re:Misleading title by Allicorn · 2005-03-14 08:46 · Score: 5, Insightful
  
  Firefox isn't to blame here, its presented a very large, very clear, very threatening warning message.
  
  Java isn't to blame here, its honored the unrestricted access permission given to the applet by the user.
  
  IE isn't even to blame here (!), its just a target. Once the applet is running without restrictions, it can do anything any other executable could do.
  
  This "exploit" could be delivered via some other JavaPlugin-enabled browser and modify any other peice of software installed on your box.
  
  The blame here, at least in the case of the original article on Vital Security would appear to be the author experiencing a profound "curiosity killed the cat" moment.
  
  --
  OMG!!! Ponies!!!
Not just browsers. by meisenst · 2005-03-14 07:48 · Score: 5, Informative

It's important to identify that if this is not a browser thing, but a Sun JRE thing, any Java-enabled program that can come in contact with the installer applet could potentially infect your system.

--
Green's Law of Debate: Anything is possible if you don't know what you're talking about.
1. Re:Not just browsers. by Crazy+Man+on+Fire · 2005-03-14 07:52 · Score: 5, Insightful
  
  It's important to identify that this is not a Sun JRE thing, but a user error thing!
  
  Any time a website asks you to trust them to install something on your computer, you should probably say no. If you say yes, you are going to get owned 99% of the time.
This can already happen by tehshen · 2005-03-14 07:49 · Score: 5, Interesting

IE can already be infected by plugins and downloads from other browsers. My sister (whom I have confined to Firefox) likes to play those goddamn Neopets games, which require Shockwave. After installing it, the Yahoo! toolbar had managed to place itself into IE somehow, even when IE hadn't been used for months.

--
Guy asked me for a quarter for a cup of coffee. So I bit him.
But you still need IE. by cy_a253 · 2005-03-14 07:50 · Score: 5, Insightful

from the if-you-must-run-windows-remove-ie dept.

Really? The microsoft website oftens blocks browsers other than IE from downloading updates and whatnot.

You CAN'T just remove IE. You need it. Just try to update office on firefox for example:

http://office.microsoft.com/en-us/officeupdate/def ault.aspx
1. Re:But you still need IE. by Rude+Turnip · 2005-03-14 07:58 · Score: 5, Insightful
  
  My approach to IE has been this...in my mind it's no longer a "web browser." To me, IE is *only* to be used as Microsoft's "software update tool," much like how Apple has a dedicated software update tool for OS X.
  
  You can't use Firefox to automatically update Office, but you can manually download patches with Firefox. However, you can use the Microsoft Software Update Tool (formerly Internet Explorer) to automatically find updates.
  
  --
  Bill Clinton: Pimp we can believe in. - The Shirt!!!
The Four Rules of Browsing the Net on Windows by Deep+Fried+Geekboy · 2005-03-14 07:50 · Score: 5, Funny

1. You can't win
2. You can't break even
3. You can't get out of the game
4. No matter how hard you shake it, the last drop always rolls down your pant leg.

--
I'm not wrong. You haven't thought about it hard enough.
Re:who fixes it? by Bob+Loblaw · 2005-03-14 07:50 · Score: 5, Funny

Sure they'll fix it ... by silently uninstalling Firefox using their next IE "this fixes numerous security flaws" super-updates.
Let me get this straight... by bersl2 · 2005-03-14 07:52 · Score: 5, Informative

By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer.... VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

So, the attack happens through Sun's JVM, affects IE, and consequently has nothing to do with Firefox, which was inserted into the article for maximum troll capability.
Can't resist by Hyksos · 2005-03-14 07:59 · Score: 5, Funny

I know there's been a fair share of MS-bashing already but I just can't resist... It's pretty funny that IE is so insecure that its security holes exist in other programs :)
I'm not defending IE by any stretch... by bob670 · 2005-03-14 08:01 · Score: 5, Insightful

but this has a lot more to do with bad surfing and usage habits than IE at this point. If you haven't learned not to click on every damn pop up window, click yes on every dialog box and follow links to sites riddled with porn and warez ads then you get what you deserve. While I tend to use Mac OS X for most everything now, I have yet to get hit with spyware or a virus the entire time I have used 98Se/2000/XP. I got one virus on Win 95 and it served as a wake up call to watch what I was doing and think before I clicked yes. Yes, MS is responsible for some of this, and I am not trying to place blame on victims, but take some responsibility for your computer or put it back in the box and return it to Dull or Worst Buy.
Re:Java by RetroGeek · 2005-03-14 08:03 · Score: 5, Informative

the installer escapes Java's sandbox

No. The user unlocks and opens the door, THEN the exploit escapes.

All the systems are working as designed. It is the user who opens the door.

--

- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Re:IE? by oglueck · 2005-03-14 08:04 · Score: 5, Informative

This has nothing to do with Firefox or the JRE, nor IE. The JRE's security manager properly issues are warning that the user is about to run arbitrary code. It's like an email worm. The user's interaction and ignorance is need to spread the thing.
Re:who fixes it? by Anonymous Coward · 2005-03-14 08:06 · Score: 5, Insightful

Though rather than just asking, "Do you want to trust this applet", they should be a bit more explicit, "Trusting this applet will give it unrestricted access to your machine, and can install or change files, and access other computers through the network."
We already have one by AvantLegion · 2005-03-14 08:11 · Score: 5, Funny

>> "IE vulnerable to new attack" - shouldn't we find some sort of shorthand for this, since it happens so often?
"Monday".
Re:Not a Java Exploit by Anonymous Coward · 2005-03-14 08:17 · Score: 5, Informative

There are two types of Java applets: signed and unsigned. Unsigned applets run in a sandbox inside your Web browser. A Java exploit would be an unsigned applet that could "get out" and do something malicious. This doesn't seem to be an unsigned applet.

Signed applets don't run inside a sandbox. A signed applet can do anything that any other executable program can do; including formatting your disk or installing spyware. They are not any safer than programs written in C or assembly language.

--Steve
Social engineering, but still a problem... by argent · 2005-03-14 08:22 · Score: 5, Insightful

As other people have noted, you still have to say "yes, bone me". But people don't expect a Java applet (since it's normally firewalled) to be dangerous, so they're more likely to say "yes".

If allowing an unrestricted Java applet to run is just as dangerous as installing and running an application, then the dialog box should reflect that. If Firefox is going to make you manually approve sites that you're going to allow XPI installs from, and *then* run a countdown in the warning dialog, they need to be at least as thorough about any other operation that takes you outside the sandbox.
Re:Not a browser issue and not a Java issue by JohnnyCannuk · 2005-03-14 08:26 · Score: 5, Insightful

No this is not really a Java issue either. This is a social engineering issue.

The JRE pops up it's "Warning" dialog, like its supposed to . It displays to the user that it cannot verify who signed this, that the cert is out of date etc, like its supposed to . It displays a warning reccomending that you NOT say yes and install the applet, like its supposed to . So when you ignore all of that and say yes, you deserve to get infected. I mean, what do you want, another dialog asking "Are you sure?".

I mean 3 big yellow exclaimation marks? I've never seen that even in the most unstable of development environments.

Oh and BTW, if you say yes to a Java applet in this instance, it runs as a local application without a security manager. This is not a 'hole' it is what it is supposed to do. When you say yes, that's what you're saying 'yes' to.

Now if people were taught not to do that the same way their are taught not to run arbitrary files sent to them via e-mail, this wouldn't be a problem. (That's sarcasm BTW)

In the end, the problem is the goof behind the keyboard that is willing to say 'Yes' to run applications they don't know about and that the JRE itself warns them at least 3 times in 3 ways not to run.

How do you defend against that?

--
Never by hatred has hatred been appeased, only by kindness - the Buddha
Re:Unfair analogy by 0x461FAB0BD7D2 · 2005-03-14 09:36 · Score: 5, Funny

Never been to Tennessee have you?