Slashdot Mirror
The Java Popup you Can't Stop
An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser).
Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "
For the love of all that is holy, please don't promote this story to the /. frontpage. The less advertisers that are made aware of this the better.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
There are people who still browse with java switched on?! That is SO 1990's.
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
I've tried with Iceweasel 2.0.0.5 with NoScript, and NoScript blocked it nicely.
is to get their phone number, call them up, and inform them that they will never buy/use whatever it is they are selling, and will be telling 25 of their closest friends in person because of this practice. Certainly, you aren't limited to 25, but that is the old saying.
-- Who is the bigger fool? The fool or the fool who follows him? --
this is a real slashdot article, and not some clever cross site full screen javascript faux article out to steal my cookies, hmmm? if i hit submit i might-
oh shit
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
As always, with script-related security flaws, the easiest solution is NoScript, of course.
However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.
My blog
I have the newest version of firefox (vanilla, no extensions, only a few custom settings to increase speed) and his demo completely didn't work on my computer...
Now we all are doomed. And with the new Sun CPU, advertisers can display ads at an even higher frequency now.
yes, but who would want their product to become associated with what would quickly become the most annoying ad basis ever invented?
The obvious solution should be to turn of Java by default, and only turn it on for trusted sites.
Problem off course is that the avrage websurfer is unlikely to a) know how to do it, and b) know what sites to trust.
Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
Fucking asshats always find a way...
The game.
You can still use firefox to keep popups contained in tabbed browsing, and prevent window resizing. Not-news, move along.
So...did I miss something? But winkey and ctrl alt delete did fine for me. Still, I *am* impressed...it just seemed to be billed as more than it was. Or is the joke on me for clicking the link in the first place? ::runs away to sign up for lifelock::
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
There's virtually no chance anyone would be fooled into doing anything but killing their browser, and Java is by no means alone in causing that kind of issue.
Nothing to see here, move along...
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
No, I'm not talking about advertising via popups, I'm talking about Giorgio Maone's method of pushing NoScript. Whatever next? McAfee will release a super virus that only their product will stop? Or Microsoft start releasing IE exploits and paid-for patches?
I already use NoScript, but this sort of behaviour doesn't enamour me to the lead author.
I'd really like to see counter methods posted as (special) comments under articles like these. "Links to: How to prevent this". It would be really nice if we could use our mod points to "mark" a comment as a solution that an administrator could then move it to the top. Why the administrator involvement? Simple, to prevent the teams of people who go around and exploit this type of function on Yahoo. This would still allow Slashdot to work off the same random moderator point system it has while keeping some semblance of order. They could play around with how many mod points a comment needs before it can before an admin is notified.
Just a thought.
I really dont like having java installed in my browser as it is.
this is nothing new. there was a GNAA last measure mirror a while back (as in a year ago) that was like this.
I had to kill X to stop it somewhat, then I had to drop into a shell and kill the process. and this was on linux.
Just now it's being made public.
Why is that? What is "worse" about it than Ecmascript?
For extra credit, explain why Java Web Start is worse than downloading a traditional application and installing it...
Lemmings...gotta love 'em.
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
FF on Ubuntu 7.04 using Sun's Java (1.5 I believe). The Java one works wonderfully(?) not only filling my full dual monitor setup, but preventing me from clearing it using any method I tried, including hitting the hotkey to change Gnome workspaces. The only thing that did work was switching to a virtual console at which point I could kill firefox-bin.
No need to worry folks, us handful of BeOS users will switch off the lights and the internet on our way out, since we'll be the last ones to leave. Every now and then I'm actually relieved to be running a non mainstream OS.
Revolution = Evolution
If marketing clowns are allowed to do this to my PC, or more to the point, the PCs of people who DON'T know what to do to secure their PCs, I think DoS attacks on individuals or companies that engage in this behavior should be perfectly legal. It amounts to the same thing, really. You interrupt my ability to conduct my business, and I will return the favor...
Seriously, name me one "house-hold" name website that uses Java applets anyway. Can't we just have it switched off by default? I like Java as a broad technology, but I'm finding applets increasingly irrelevant - interactive rich sites are being taken over by flash, ajax, and the probably-to-be-mainstream-soon Silverlight/Moonlight.
This isn't a flame....Java on the desktop is awesome and I love it.
*runs to the hills*
throw new NoSignatureException();
well he certainly is adept in writing what must be the slowest rendering page on this side of the solar system. dear god, try to scroll...
1. The bug was filed on 19 JUL (less than 10 days back) and henceforth made public when no "visible" action was seen from Sun, in the interim Sun asked to keep the issue confidential, but it was made public anyways.
I find it hard to justify as I don't know a fix can be done and TESTED on all configurations (especially as wide as Java), in 10 days. Heck, full inhouse teams take *months* to roll out tested windows updates. I won't classify it as responsible disclosure.
2. The functionality is achievable by Javascript through LiveConnect present in Opera and Gecko based (Mozilla) browsers.
Great find, yep. But terribly executed and extremely irresponsible just to gain brownie points for NoScript!
- mritunjai
"Click here to download plugin"
No sympathy with people who installed the Java-crap.
I'm surprised no one has thought of doing this before. What I am curious about though is why the applet doesn't have a border - I suspect it is because it has gone full screen. If that is the case a really easy fix would be to simply ban applets from going full screen unless they are signed.
I used to have a better sig but it broke.
Java X11 app taking over? SSH into your box (unless you got another screen) and then DISPLAY=:0.0 xkill. Then it's just point, and shoot.
.45, AK-47, a machine gun, Stroll Munitions BH-209i plasma cannon, nuclear bomb, or the all-time commercial favorite... "What's that?" "Oh oh.... RAAAAAAAAAIIIIDDDD!!!" *BOOOOOOOOOOOOOOOOOOOOOOOOOM!*
*BLAM!*
Extra points to whoever makes an xkill clone that has configurable sound when you shoot the app, from Luger 9mm, Colt
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
I tried it. It opened a window with no location bar or close buttons, but I could easily right click on the the task bar and click close window. I don't see what the big deal is.
This Java discovery will lead to the following:
1. Java Popups 1.0
2. Java Popups on Struts
3. Java Popups 1.1. (Not compatible with 1.0 or struts, needs a patch to SunOS to work)
4. JPEE. (Java Popups, Enterprise Edition- Not compatible with 1.1)
5. Java Popups for Mobile Devices.
6. Java Popups for Mobile Devices, Enterprise Edition.
HA, and you thought that Java was going to make this easy for Phishers and Advertizers.
I'll venture this one.....
JavaScript is natively supported in the browser. Java requires an additional piece of software. Browsing the web in a secure mode should rely on the fewest number of software elements in order to minimize the opportunities for exploits. I'm not saying that only having one program running will prevent problems, but, as long as you keep that program patched appropriately, you should be safer than running two.
Layne
If you're too lazy to install NoScript:
Tools -> Options -> Content -> Uncheck "Enable Java"
Honestly, unless you have a legitimate reason to run Java applets, I don't see why to keep it enabled. I have found very few legitimate Java applets during the course of my normal browsing; most of them are something like "rippling water effect" or "annoying site counter".
Like this guy found a way to make popups in Javascript, and rather than acting responsibly and disclosing it sun and waiting for them to fix it, instead he just came out with it to try and convince people to use no script. It's like those virii that advertise anti-virus programs. I used to use no script but now I've uninstalled it, I am not going to use a program that is made by a guy creating security problems in order to force people into using his software.
Now that java is released under the GPL, how long before someone releases a java plugin to block popups such as these?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
us handful of BeOS users
What, both of you?
I can in fact stop it because I have dual monitors. The hack only goes into full screen mode on one of the monitors which makes it quite easy to shutdown the browser from the other screen. Also, GNU/Linux users can switch between virtual desktops via keyboard and or can kill X. It's the poor Windows users with only one monitor that will feel the most pain. ;)
AxXium
This, of course, assumes that you allow Java to run without asking first.
If you, like me, don't allow Java or any other plug-in to run without the browser first asking you if it is OK to run, and if you don't allow plug-ins to run without having a VERY CLEAR idea of where they are coming from and what they will do, and do not run any such plug-in save from a VERY trusted source, then this will be very hard for an advertiser to exploit.
All the more reason why ALL plug-ins should be "user interaction required before use" BY DEFAULT.
www.eFax.com are spammers
While we are at it, maybe improve it as well.
Clearly Sun will have to act on this very quickly.
Limiting unsigned applets to 600x480 seems like a good first step. The problem of course is does Frame know for sure that it's distant ancestor is an applet? In theory that's the idea behind the sandbox -- but clearly the sand has escaped and needs vacuuming.
Also -- I'm disappointed in /. readers. How have there not been any Lynx comments yet?
Nothing great was ever achieved without enthusiasm
'nuff said.
***Foucault is watching you..***
Using Windowmaker desktop, FF 2.0.0.6 and the gcjwebplugin it does indeed pop up full screen, but I can alt-drag it away (like any other window) and then xkill it. Irritating but not invincible.
25% Funny, 25% Insightful, 25% Informative, 25% Troll
yeah, is this a joke? i tried disabling everything i could think of while keeping java enabled - nothing.
btw, i am a dedicated proxomitron user (disabled for a moment to try the demo). never see any ads or pop-ups ...
When that time comes, will you BeOS guys be joining the rest of the world on internet2?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
When the java applet comes up fullscreen, it doesn't actually cover the menu bar on a Mac. To close the applet simply select the window that spawned the applet and go up to the File menu and select Close Window (or hit Cmd-W).
It also only effects your control over the specific browser (I'd imagine that's the same for Linux and Windows as well), as I could still cmd-tab between applications or use Expose.
That said, it's still bloody annoying.
The wet dream of any slashdot poster is mentioning wet dreams more than twice in a single post. Why I could wet daydream all day about the wet dreams my mum would clean when I post a story like this.
i forgot i was talking about the internet for a moment. I assumed ads actually sold a product for a moment.
It certainly is an annoying trick. But, at least on the WinXP comps I tried, when I alt-tab between programs I can see the browser for a moment and then the Java popup covers it again. So I moved my mouse over the X for the browser and did alt-tab, click and closed the browser with no trouble.
Overall, definately a great way to ruins someone's day though. Personally I keep pretty much everything turned off. I have a button in Opera to enable/disable various things like Java and Adobe. And NoScript is a great extension for FireFox. But there are still a lot of people out there that are going to get really screwed up by this finding.
1 (short ton / firkin) = 89.1432354 slugs / keg
How is this different from any of the sites I've been to where a new IE window pops-up in the background with no menu-bar or buttons that takes up the entire screen? This is not a Java issue, this is an OS windowing issue.
One of the silliest articles on Slashdot in a while...
Website Hosting
"Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop and cannot be closed by user"
Thing #397 That You Can Do In Linux But Can't In Other Popular Desktop OS's:
1. Ctrl+Atl+F1
2. Log In
3. missile-launch -f --target-from-process java
4. killall java
4a. killall firefox-bin (if necessary)
Actually this story is strangely coincidental; just a few minutes ago, I was trying to show a coworker a cool graphical demo of different sorting algorithm efficiencies, but I didn't have the Java plugin installed. Still don't.
"Software is like sex; it's better when it's free." -Linus Torvalds
It doesn't work when I visit it with Opera 9.
Oh wait, that's right, I disbled plugins years ago when I read about somthing just like this.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Sure it doesn't do much under MacOS, but maybe we should alert the fanbois anyway?
Or get some Linux or Windows fanbois to masquerade as Mac fanbois and have them issue the threats?
(It's humor, not trolling.)
Putting http://evil.hackademix.net/fullscreen/FullScreen.c lass in AdBlock Plus' kill list worked like a charm. Make a generic kill for *.class and *.jar and then whitelist the sites that need java.
Popups, Wet Dreams, and no napkins. What a mess.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
Well it didn't work on my Windows 95C machine using Netscape 4.78.
The one sure way to endear me to a product and cause me to whip out my credit card is to pop up a window over my entire screen that I cannot remove. This type of "in your face" advertising is exactly what reluctant consumers like myself need.
FAQs are evil.
I can just imagine Grandma calling me for help... I take that back, she's still using dialup! :D
I have Flashblock. Is there a Javablock? I'm surprised advertisers don't use Java more often. Java is one of those things that I would probably want to enable manually anyway, there's no need for it to be on all the time.
I have the same issue: this demo does not seem to work.
I tried FireFox 1.0.6, Opera 9, and IE 6. None of them show ANYTHING aside from the "Pure Java Full Screen Demo" page. Neither the pure-Java way nor the JavaScript way work. However, in Firefox at least, I get a status bar message that reads "Applet FullScreen notinited"
Test system is Windows 2000 with FireFox 1.0.6, Opera 9, IE 6. Java IS enabled, as I can see the US clock applet. Java identifies as the "Java 2 Runtime Environment, SE v1.4.1" along with Java Web Start.
Guess that means I'm off the hook for this exploit!
bullshit. ctrl-alt-del, end task. done. this is nothing more then a window spawned by JS at full screen, with one clever trick to get around script blockers. this is a total none event. it's the Y2K of JS hacks.
If you mod me down, I will become more powerful than you can imagine....
Would like to share some specifics. Disassembled the bytecode using javap and used my rusty JRE assembler 'skillz' to understand it, but well, since he seems to have compiled it with full debug options, any idiot can find it ut by staring at the output for a sec.
1. It doesn't use any "go fullscreen" API
2. It's a failure of assuming sum of parts of software is as secure is as its components. It can be "less" secure than any of the component taken in isolation. Point in case is the set of APIs used:
a) Toolkit.getScreenSize(): Used to find size of desktop. Nothing evil here
b) Window.setBounds(): Used to set size of window. Nothing evil, except set it larger than screen size, hence hiding the applet warning by moving it "off screen"
c) Window.setAlwaysOnTop(): Used to set the window on top. Essential for displaying "Modal" dialog boxed like error boxes. Nothing sinister here.
However, the shit happens because all the things taken together can be dangerous. Specially, passing "System Modal" to setAlwaysOnTop().
I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.
Any more ideas shall be appreciated.
Oh, and I again despise him for an irresponsible disclosure and presenting the hack in easily reverse engineered, fully functional code.
- mritunjai
As always, with script-related security flaws, the easiest solution is NoScript, of course.
That or a browser and Window Manager that does not do the annoying thing in the first place. The author reports Safari falls victim but the demo did nothing to Konqueror on Etch.
Being paranoid, I restarted X. The author may have other goals and tricks for you.
Friends don't help friends install M$ junk.
Nice find by the author.
btw, in Opera, in preference --> javascript option, I always have these 3 options unticked: "Allow resizing of windows", "Allow moving of windows", and "Allow script to hide address". So, the exploit the author mentioned doesn't work.
His exploit "just works". Apple fanbois everywhere implode in a self-collapsing vortex of cognitive dissonance. by jjack
You can run and install java without installing the java applet plugin, let's not trash a perfectly good language because of some plugin security holes.
Apparently the issue is at least partially in the way java is allowed to call javascript. I agree with you, it would be nice if Sun acted quickly. What I don't understand is how people could be upset about this and so calm about the crap that Flash does?
In other news, the English language can be used to convince Congress to authorize and unjustifiable war with no exit strategy.
Is having a full screen window in java any different from having a full screen window in Flash? If so, wouldn't it just be as easy to use Flah, since it is likely installed on more systems than Java is.
Jumpstart the tartan drive.
My experience, as a System Administrator and Desktop Tech - Java is evil. Certain applications requireing a specific version of Java to work - real fun when you have a user who's job functions involve two websites that require different versions, else they don't work. As much as people hate on Microsoft, at least thier Java VM seemed to "just work". I refuse to load Java on systems until a user presents a "good" case where they need it. Same with Flash "pop-up" player...
If your browser doesn't provide a simple way to turn java on and off, why the fsck are you using the worthless thing? You deserve all the annoying popup ads I'm never troubled by, donkey.
Pringles has been doing this for years. They are the original pop you can't stop
If an officer ever threatens to taze you, say you have a pacemaker.
When you pop Pringles you get chips... not cookies.
OS X Firefox 2.0.0.6 - first link worked second did not. First one cover the entire screen but I was able to close it by using "cmd w" for close window no problem.....
All i got was a message saying "Click here to download this plugin" i guess you need java for this to work? opps :)
funny too, my university swore to me the online site wouldn't work without java... yet i've never had a single problem, even the file uploader works.
You can block everything. The result of such pop-ups will be quite simple: block the entire site.
This exploit isn't aimed at a Windows user who knows how to use the Task Manager. It's certainly not even aimed at a user who knows how to use NoScript.
Some days I wonder what's with you people. Actually, that's every day, and I've stopped wondering, because apparently being a n00b nerd makes you dense.
Now THIS is hard to take seriously. This has been possible for more than 5 years. The Applet window shows the warning ("Applet window") big enough. The only new (jdk1.5) method setAlwaysOnTop throws a SecurityException and just calling toFront every 10 ms may be annoying, but thats it. Since theres no way of knowing how the desktop looks like exactly the idea of drawing a fake desktop is rediculous. Well, i could continue ranting that that reversing the applet actually shows the author still has problems with the basic concepts such as Runnable and Thread, but wtf...
I believe you mean JavaScript viruses (very common) not Java viruses (extremely rare). Javascript viruses tend to be mostly harmless (stuff like, a popup you can't close) and are generally overblown by virus software. That's why your autoprotect software wasn't catching it: It wasn't that important. And erasing the files from your browser's cache after the fact is not really helpful either. You're not really "infected" per se. (Though some of those JS files are vectors into bigger and badder viruses.)
That has to be the worst reason in existence to use IE. If you don't want Java, don't install it. FireFox won't do it automatically, nor will Opera, nor will Safari. Sticking with IE because it doesn't install a JVM by default is nothing more than a false sense of security.
parent rating: -1 FUD
Javascript + Nintendo DSi = DSiCade
I already dont bother with flash sites, and dont have java enabled by default.
If they cant use simple html on a site to render with, then i just move on to another and they lost a sale.
---- Booth was a patriot ----
I am not sure if you are being sarcastic or not, but I'll bite. Java WebStart was a good idea that, for one reason or another, never caught on. People are still trying to figure out such a deployment model. When deploying a Java app, there are a lot of platform specifics you need to take into account to get a good user experience. WebStart was an attempt to make Java app deployment non-platform specific.
Of course, it is well known that if you force my browser to display a 1280x1024 popup ad on my screen that ill kindly respond by rushing to the store and buy the product.
Its like those men forcing women to love them - aka rapists.
stop raping my screen!
If you look like your passport photo, you're too ill to travel. - Will Kommen
Unlike Internet Explorer, Firefox (as I'm sure many of you already know) made it extremely easy to turn off Java and Javascript. I just go into the Tools, Options, and click on the content tab, then there are two nice checkboxes to disable Java and Javascript. If I go to a page that I've never been to before, and I think that there might be the slightest chance of something uncooth going on, I'll uncheck those boxes before I click on it. It's saved me a few times considering the page source code I've looked at. One of these days I might write some kind of addon to make a nice button at the top that toggles Java/JS, unless of course there is already such a thing.
;-)
They will always find ways around the blockers and whatnot, but there are simple ways to avoid them, the simplest and most fulproof method is to unplug the NIC. (Let's see your spyware phone-home now bitch!)
And they said zombies weren't real!
To c )Actually this throws a SecurityException when run on my box. FC6, FF 1.5.0.12 and jdk 1.6.0-b105.
The toFront is called periodicly by a Thread.
The easiest solution would probably be to have the applet warning at the top under Windows as well.
... that your posted analysis probably saved the bad guys a lot of time and effort.
To a Lisp hacker, XML is S-expressions in drag.
In Firefox, click on Options > Content and uncheck the Java Enabled checkbox. Then click on OK, and you're safe...
Think of the Irony!
I tried it in Safari (3.0 with latest build of webkit) on a Mac. The Java one enlarged the window, but I could still see and use the menu bar and dock, and hitting backspace simply took me back one page. And exposé and command-tab still worked.
I just got a popup like this from Pringles!
Once you pop, you can't stop... argh!
ok, yeah, that was lame...
I tried the "Whole desktop" thing of his with Safari 3.0.3
(1) It didnt cover the menu bar - so does not cover the whole desktop
(2) The Safari menu "Close Window" is still available - and does what you expect - closes this window.
Claims are overblown.
I think we've just witnessed the birth of Java.applet.Pringles.
Once you pop, you can't stop!
LOL. Alt+F4 and it's gone.
Say out loud: I'm an Aspie and I'm somewhat proud, I guess. Uh. Can I write an email in all caps instead? Hm...
Does anyone know more details about why the usual JVM sandboxing doesn't work for this FullScreen program, or the LiveConnect JavaScript snippet?
W TPermission.html):
l Screen.class or the LiveConnect JavaScript snippet are unsigned, I wouldn't expect the JVM to even give the user the option, unless the user explicitly configured their browser to allow permissions to unsigned code.
The JVM enforces permissions specifically related to creating top-level GUI windows (http://java.sun.com/javase/6/docs/api/java/awt/A
setWindowAlwaysOnTop Setting always-on-top property of the window: Window.setAlwaysOnTop(boolean) The malicious window might make itself look and behave like a real full desktop, so that information entered by the unsuspecting user is captured and subsequently misused
showWindowWithoutWarningBanner Display of a window without also displaying a banner warning that the window was created by an applet Without this warning, an applet may pop up windows without the user knowing that they belong to an applet. Since users may make security-sensitive decisions based on whether or not the window belongs to an applet (entering a username and password into a dialog box, for example), disabling this warning banner may allow applets to trick the user into entering such information.
These two seem to relate to the FullScreen demo, particularly setWindowAlwaysOnTop, since the FullScreen Java program calls w.setAlwaysOnTop(true).
I'd expect the security policy for a JVM running in a browser to only grant these permissions to Java code if the browser user agrees to allow them. And since the FullScreen program from http://evil.hackademix.net/fullscreen/classes/Ful
Is the JVM granting these permissions to the FullScreen code? Or is FullScreen somehow doing what it's doing despite not having the permissions?
If the JVM is granting the permissions, why?
If FullScreen doesn't have the permissions, how is it able to do what it does?
I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.
I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.
Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.
I heard rumours about such problems, too, but never actually found such a case myself (oh well, maybe 8 years ago when Java was less mature), even though I use Java a lot and (being a Java developer myself) frequently look for Java applets to see what's out there.
I always upgrade almost immediately to the latest version, and since Sun has been striving for backwards compatibility for a while now, it just works.
Could you give me an example where an applet absolutely requires a certain version?
Say out loud: I'm an Aspie and I'm somewhat proud, I guess. Uh. Can I write an email in all caps instead? Hm...
Hello? Why the FUD?
Like all other application, Firefox (and Safari, and IE) can be closed with a keyboard shortcut that's farily well known. Heck, my mom closes windows with Alt+F4.
Color me unimpressed. I guess there's a lot a add revenue to be had when thousands of folks come to downlaod your Firefox plugin or something.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
The simple answer would be to turn off Java. The problem with that is your turning of part of the web. Besides, who says they can't do the same with Flash? or AJAX? Would you turn those off too?
President/CEO Pacy World http://www.pacyworld.com
That was quite possibly the finest example of elitist, childish, trolling bullshit I have read under this story so far.
occultae nullus est respectus musicae - originally a Greek proverb
My computer doesn't install random applications from websites I visit. I have to download and install them manually. When my browsers Java plugin is enabled all java applets start without my intervention.
... am I missing something here?
I just tried the demo with Safari (Version 2.0.4 (419.3)) on Max OS X 10.4.10 (Intel), and, yes, I did get a rather largish pop-up-window, which, however, could be closed by pressing [command]+[W] (i.e.: the Mac standard key-combo for (you guessed it) closing windows).
So what gives?
sig? Oh, that sig...
While excluding java may ensure a slightly higher level of security for the iPhone, the breadth of apps (functionality, portability, etc) missing is quite sad. I would gladly trade the lessened security of an intelligent implementation of java (user authorization, certificates/signed code, protected memory, etc) for the features java could add to this otherwise phenomenal device.
Posted from my iPhone
Safari 3 beta on osx
no extras neither the geko on the applet version work
Please forgive me for asking a dumb question. Is it possible to set up permissions so that applets launched by the browsers do not have the ability to use "system modal"?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
You fail the Internet.
Many eyes.
I would prefer for him to post it here and get it fixed immediately than for someone to find it and start using it without anyone being able to see what was going on. He has done the responsible thing.
- Mozilla 1.7.13
- Sun JDK 1.5.0_02
- Red Hat Linux release 9 (Shrike)
The Java popup works as advertized in Firefox 2.0.0.6, same environment in other respects.Here's an example of why it's useful to support older versions of critical software in your environment. I know, it's all very conservative, but sometimes it's really nice to be able to roll back.
Parity: What to do when the weekend comes.
I think not. The security permissions that are set for applets are pretty much dictated by the Java plugin. On Windows, the plugin contributes an icon to the system tray which opens a preferences dialog (also available through the control panel). Perhaps some security settings can be changed using that dialog, but I doubt it.
I think this is a real concern... I know most of my family and friends would have Java enabled, and would not know how to make the popup "go away". Most would just click on it. I think this is a real concern.
Firefox for example, in addition to being able to disable Java completely should have an option "Ask me before running any Java". Because sometimes you need it but can't tell from the site why the site doesn't work.
Also, why the hell doesn't the little Java icon that appears in my system tray, not have an Exit JVM option that would kill all running Java apps and exit the VM/console? That should be a no-brainer option for Sun to include on the right-click menu for that icon.
The sooner someone abuses that bloated dual-CPU computer slowing stupid language the better. Then, everybody will turn it off to avoid the shenanigans and the rest of the sites that use it will be forced to stop too.
I would love nothing more than to turn that crap off in all my browsers permanently without running into some dumb site that wants to use it for navigation somewhere.
Saying Java is great because it works on all platforms is like saying anal sex is nice because it works on all sexes..
When I moderate, I only use "-1, Overrated". That way, I never get meta-moderated!
Go ahead, you know you want to.
Does that include CTRL-F4?
IE6 SP1 with autopatcher optional and security patches=no
Firefox with noscript=no
Kmeleon=yes
Seamonkey with noscript=no
I checked and IE6 does have java enabled.I don't know whether it is an autopatcher thing or simply a Win2K issue.Since I never use IE (I prefer Firefox and Seamonkey) I won't be doing further testing.I just hope the Kmeleon guys patch this quick as I've always recommended it for older RAM deprived Windows machines,but until they do I guess I'll have to recommend Firefox.
ACs don't waste your time replying, your posts are never seen by me.
We need something like a NoScript extension to Firefox to java plug in itself. The websites tell Firefox how to render the site. But an extension like AdBlock or NoScript or Flashblock intervene and tells FireFox not to render it. Similarly an applet might request a pop up window, but (my imagined) java-extension would cut in and say, "no you dont get to call System Model, sorry buddy". Is it possible to get a JRE that supports such extensions to the plug ins?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I have a feeling that using Jogl (Java OpenGL bindings) you could go really fullscreen. The Jogl natives jar is signed by Sun so you don't need to sign your applet to use it. Of course these features are really great for games, so it is not nice to just disable them.
This probably could be done in flash too. Youtube can go full screen on my PC, so I would assume any flash app can.
I'm running a default 1.5.0_07 build on PPC OS X, with the MRJ plugin for Firefox, and I was watching the Java console when I tried his sample evil popup; I've put the stack trace below, but the gist is that
n (AccessControlContext.java:264)c essController.java:427)y Manager.java:532)6 )
java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
it wouldn't let the window be always on top, and indeed it wasn't; I could use my desktop and other apps pretty normally. This isn't the default security policy?
~Jesse
Wed Aug 08 11:57:08 EDT 2007 JEP creating applet FullScreen (http://evil.hackademix.net/fullscreen/classes/)
java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
at java.security.AccessControlContext.checkPermissio
at java.security.AccessController.checkPermission(Ac
at java.lang.SecurityManager.checkPermission(Securit
at java.awt.Window.setAlwaysOnTop(Window.java:1358)
at FullScreen.start(FullScreen.java:30)
at sun.applet.AppletPanel.run(AppletPanel.java:418)
at jep.AppletFramePanel.run(AppletFramePanel.java:17
at java.lang.Thread.run(Thread.java:613)
And they run nicely sandboxed and can't interact with the rest of your system (create/view files, remain resident, etc) unless you click yes on the warning.
I wish my desktop apps did that!
As it happens, I just stumbled upon Sun's Looking Glass project. I don't know what stage it's in, I don't know which hoops I'll have to jump through to make it work on my laptop after I'm done installing Gentoo on it (cue Gentoo compile jokes; actually, I've only just started, and I think making the MacBook Pro keyboard work properly is going to take me most of the time). However, from what I see, it's Sun's project and it's Java based.
So pray tell, did I get something wrong?
Ignore this signature. By order.
Clearly you weren't around when Coolwebsearch got big. The only exploit they ever used was a bug in the Java VM.
The bug in MICROSOFT's shitty, half done JVM.
Just to be clear.
Those saying that it is 'easy to close' are missing the point.
You're blocking normal popups because they are unacceptable. If it is so easy to close, why don't you turn off your popup blocker?
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Well, not so much that as they replaced it with ActiveX. Which is 10x worse than Java ever was or will be.
My blog. Good stuff (when I remember to update it). Read it.
New?
:)
Should this not be existing since... 1990's
(probably before if some company is searching for Java programmer with 20 years' experience
Seriously, I cannot believe this is NEW: applets exist since so long ago. Am I missing something?
Pedro.
That's cute.
It has some neat properties. It's a full screen window that's always on top, like a modal dialog. There's no window title bar. Alt-tab will switch to another window, but the app switches back. Control-Alt-Del will bring up Task Manager, so you can kill the window that way by killing an instance of Firefox. Not sure if this works with IE, which is more deeply embedded in the OS. However, if the app launched a second window of itself, it could keep respawning faster than the user could kill it.
Alt-F4 will force the window to close, although the app could resist that if it wanted to.
The app suppresses that stupid Sun ad that runs when newer Java JVMs load. So it's not obvious that it's a Java app.
A key point here is that, since this thing takes over the whole screen with a real application, it could put up something that looked like a desktop to fool the user.
A security manager and class loader installed correctly can do the exact same things a popup blocker does... Java was just not popular enough to bother with but now that it is picking steam again it would be there in no time... Move along nothing to see!
Well, there are a couple of things about CWS:
1. It merely used the JVM as a vector to install itself. As a virus, it was actually a Windows program and was reported as such by all virus tools in existence. Thus the original poster would not have known it as a "Java virus".
2. There are actually a wide variety of CWS variants. Some of them used the JVM vulnerability while others used other system vulnerabilities like a hole in the Windows Meta File.
3. As another poster pointed out, it was a hole in Microsoft's VM that was exploited. Which would seem to be further evidence for moving away from IE.
Javascript + Nintendo DSi = DSiCade
I have disabled java from the early days when it was used to popup ads (why would I wait 5-10 seconds of my computer practically hanging just to see an ad? Loading the JVM just to perform a task - popups - doesn't add to my online experince). So, using FF, NS, and java disabled I would hope I'm a little safer. Unfortunatley, if we're talking spyware/bot installation then the real problem is the masses of people who get hijacked, not the integrity of my own computer.
Aside from the superficial joke in that statement, DNS poisoning is certainly a potential vulnerability. On machines I care about, there are no entries in my trusted site zone.
n/t
Then the simple solution is to blacklist any site that utilized that methodology on it's pages. That would be taken akin to hacking on a commercial level and even the hosting ISP's would be called to task to shut down the offending servers connections.
Nobody but nobody would stand for this on a commercial level. And once one was discovered, it would not be long before it would get taken down. So; even if a site had a "strange payload" on the page somewhere, the infection numbers would potentially be small.
Unfortunately we can't stop some of these sites from posting this kind of garbage but I don't really see it happening on a commercial level. If CNN ever did this or FoxNews plastered this on someones computer when they come to visit, it would be their last visit to that site or any site with even a similar sounding name. Period.
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
Tons? By which you mean one? Which has been fixed. Meanwhile, MS continues to deny the existence of a problem. They are equally in denial of a number of other issues.
FF, when a vuln is identified, is patched very quickly, sometimes in a number of hours. IE, when a vuln is admitted to, is patched, at best, once a month. Which is the better system?
You are permitted to love IE, but please don't claim it's a superior product because of some perceived advantage that doesn't really exist. It's called delusional and in the end it can only harm you. Every piece of software has problems. The only issue is how quickly and effectively those problems are fixed.
Ah yes, the "hosts file" tweaker. Ever an important advertising demographic. It doesn't pay to piss people off who have any means of doing something about it. In all other cases, in inculcates learned helplessness, the wet-dream of pseudo-democracies everywhere. Can't uninstall or disable or live without Java? And the banks are involved? Ah yes, the wet-dream of monopolistic capitalism. Strange how many countries wake up on a map of France every morning.
As far as I'm concerned, this has always been sinister.
Please remove this from the entire system. I hate when an application opens a splash page when starting that is "Always On Top", developers who do this need to be flogged. If the app doesn't start immediately, I want do look at something else. I already have the application, I don't need or want to see the advertising.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
I remember when the automated sales calls first came out. My mom would patiently wait for the long automated pitch and at the end it would record your name and address if you were interested in the product. She gave the name and office address of the attorney general for the state.
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
c) Window.setAlwaysOnTop(): Used to set the window on top. Essential for displaying "Modal" dialog boxed like error boxes. Nothing sinister here.
Anyone who thinks "always on top" or "modal dialog boxes" or the infamous "needless always on-top error box" is not sinister is damaged in the GUI. I wish I could submit 10000 bug reports every time I see an always-on-top error box from some application that absolutely-freaking-insists I should know that it's had an error. You know what? I don't care! I'm just going to kill-9 and restart. And, BTW, why the *fuck* is it that the standard error-boxes for GTK/MacOSX/Win32 et al never have selectable text? Come ON! GIVE ME A BREAK!
Needs more Goatse...
The important part here isn't the language itself per se, but the libraries and API it provides. Java provides a much more "powerful" one and thus it has a larger surface of attack. Java also allows access to all sorts of things if the user clicks the right confirmation boxes to run the untrusted software. Of course users couldn't care less about confirmation dialogs and will happily click anything hat will give them a bit of "fancy/shinny".
As for why it's worse that traditional applications. On Windows there's not much difference because that OS doesn't do much to keep you from executing randomly downloaded files. Even so, there is a bit more intentionality in downloading and executing a file and at least some users understand the danger involved.
OffByOne has no clue what Java is, and its Javascript support is extremely limited. It's the safest and lightest graphical browser out there, at least in the Windows world.
It didn't affect me for two reasons. One, I use multiple monitors and this only pwned one of them. Second, I use BB4Win, and it's taskbar was OVER the Java popup. I just closed it.
He reported the bug to Sun and only disclosed when they classified it as a "Request for enhancement".
ALT-F4 seems to close it just fine. This is only bad for those that don't know keyboard shortcuts... Oh I forgot, that is most windows users.
freak3dot
Is this the same technique that they're using on the "Experts Exchange"? I'm not much for Java so I don't know, but that site managed to get a pop-under window through Firefox's popup protection the other day.
*re-reads comments having read them at work*
:D
I finally twigged, you mean WinKey. I wondered what the hell use a winking smilie with a nick-name was in closing windows
NoScript is extremely annoying. I've found that I have to enable it on almost every site I browse to, such that it's no longer worth my time for the perceived protection I gain.
So your complaint about Noscript is that it's doing exactly what it's meant to do? Sheesh.
There is also java.policy in jre/lib/security directory, but I doubt you can disable the system modal from there.
Didn't include NoScript. But it did include the ability -- not sure if it was on by default or not -- to set all plugins to click-to-run.
So let JavaScript run, I don't care. My popup blocker works quite well enough against JavaScript popups -- or if it theoretically doesn't, I've NEVER seen a popup since I've been using Konqueror.
But try to pop stuff up with hidden Java? The only way that works is if I actually need your Java for something else. Additional bonus: Since nspluginwrapper is a little unstable to begin with, and gets worse when it's in Konqueror instead of Firefox, I prefer not to turn on Flash for every little animated corporate logo. I can still look at YouTube and some of the few uses of Flash I want to see, but otherwise, I actually get a fast Internet (something I can't say for Firefox).
Don't thank God, thank a doctor!
import java.applet.Applet;
:)"
import java.awt.BorderLayout;
import java.awt.Color;
import java.awt.Cursor;
import java.awt.Dimension;
import java.awt.EventQueue;
import java.awt.Font;
import java.awt.Frame;
import java.awt.Label;
import java.awt.Toolkit;
import java.awt.Window;
import java.awt.event.MouseAdapter;
import java.awt.event.MouseEvent;
public class FullScreen extends Applet {
private Label l;
private Window w;
private boolean running;
private Runnable toFront = new Runnable() {
public void run() {
w.toFront();
}
};
private int clicks;
private String[] messages = {
"Scary, uh?", "So you want me to go away...",
"You know I don't have to, but...",
"I'll be nice, just click me one more time
};
public synchronized void start() {
w = new Window(new Frame());
l = new Label("PWND");
l.setFont(new Font("Serif", 1, 120));
l.setAlignment(1);
l.setForeground(Color.white);
l.addMouseListener(new MouseAdapter() {
public void mouseClicked(MouseEvent mouseevent) {
FullScreen.this.clicked();
}
});
l.setCursor(Cursor.getPredefinedCursor(12));
w.setBackground(Color.black);
w.setLayout(new BorderLayout());
w.add(l, "Center");
Dimension dimension = Toolkit.getDefaultToolkit().getScreenSize();
w.setBounds(0, 0, dimension.width, dimension.height + 128);
w.setVisible(true);
try {
w.setAlwaysOnTop(true);
} catch (Exception exception) {
exception.printStackTrace();
}
running = true;
new Thread() {
public void run() {
while (FullScreen.this.isRunning()) {
try {
EventQueue.invokeAndWait(toFront);
sleep(10L);
} catch (Exception exception) {
exception.printStackTrace();
break;
}
}
}
}.start();
}
private synchronized boolean isRunning() {
return running;
}
private synchronized void clicked() {
if (clicks >= messages.length) {
running = false;
w.dispose();
I tried out the demo program in IE, and yes it's a popup that goes fullscreen, but it doesn't disable any of the OS functionality. So you can right click the icon for the popup on the Windows taskbar (at least with "Autohide" turned on) and select "Close" without losing the main browser. You can also Alt-Tab to get out of it. So the hack isn't as escape-proof as advertised.
On the other hand, just being able to bypass the popup blocker is bad enough, and there is a large user pool out there that is completely unaware of the keyboard controls on the Windows desktop that would fall into the trap of clicking anything on the popup to try to get out. So a Close button or a simulation of an OS window frame around the fullscreen would be very tempting for a user to click on.
Overall, I think this is a serious issue, but not the end of the world as portrayed by the website.
We are the 198 proof..
On Windows:
ALT+SPACE -> System Menu -> Minimize/Close
- mritunjai
I find it especially entertaining that people have tagged this article with 'useamac' since macs are *also* vulnerable to this because it's a flaw in Java, not the operating system.
BeauHD. Worst editor since kdawson.
Perhaps the bigger issue here is that HTML/CSS hasn't kept up with the times (read the story about HTML 5 and the fact that almost no new tags have been introduced in years).
We shouldn't need Java/scripts to get menus - they should be supported directly in HTML via use of a element. In fact, the web would be far easier to browse with all this "active" crap turned off if HTML directly supported the most common uses of script with specific tags: menus, rollovers, tooltips, browser version checking, etc. (As an added bonus these things would also become easier to translate for mobile or accessible/handicapped browsing as well).
Natural != (nontoxic || beneficial)
What a stupid password. That's what I have on my luggage! :-O
I'm not sure if this is a default setting, but with NoScript you can disable Java for all sites except the ones on the whitelist... I just tested it, the applet is not started... so much for "Can't Stop"
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
After all, its just a simple window. Shouldn't Ctrl + W work on other machines then?
If Bill Gates had a dime for every time a Windows box crashed...oh, wait a minute - he already does.
There might be valid reasons to do that. What is required is a security heuristic for Applets, in particular, to not allow that to happen (i.e. for applets, it should enforce the applet-bar being visible)
Sun is not being "lazy" here - this exploit would have been possible for years, just no-one's thought of it until now. If Sun doesn't fix it from here, then sure, critise away.
Nuff said.
Those who are really interested in this have either already done their own exploits and are pissed that it's "already" being addressed or don't care about the analysis because they're working on one of their own. Only the skiddies care, and most of them can't code in Java (or much of anything else, either). So they'll be waiting for some enterprising soul to sell them a tool.
In the meantime, those of us who don't code in Java can at least understand what's going on. But I can't write an exploit. Which I guess that makes me a skiddie.
I used an extension called "Quick Java" (or maybe QuickJava), which allows me to easily enable/disable java.
Beware of geeks bearing formulas.
It's not so bad on Mac OS X. The menubar and dock still remain visible, so I could still gracefully close Firefox if I wanted. If any windows in XP or Linux were set to always be on top, then that might do the same as Mac OS X.
"Oh, and I again despise him for an irresponsible disclosure and presenting the hack in easily reverse engineered, fully functional code"
For heavens sakes, why do people persist in wanting amusing stuff hidden away, just in case the morons who are fooled by it fall victim. Nice one for posting the 'hack' (lol) in a way that's easy to take to pieces. Spot on for entertaining us. Ctrl W (as someone has already pointed out) is an instant cure in Opera, as is alt-space-c, Z (for back) ctrl-f4 alt-f4 and probably a dozen others.
One way the internet is at its most amusing is watching the sort of dolt who should have evolved out a dozen millenia ago being preyed on by the other sort of dolt who only *didn't* evolve out because he/she learnt about the first sort. Boring fools who want everything hushed up in an attempt to make the world safe for idiots are not only fighting a losing battle, they are also attempting to make the world tedious for the rest of us. Let it out, advertise it, use it to promote terror and fear and to extract money from the easily scared. I've no problem with that, just don't turn secret-squirrel on us and start trying to get things fixed before people have had fun with them.
The sort of RL soap-opera creatures who fall 'victim' to this sort of thing scarecly even qualify to be called human given their willingness to expect to use technology without ever picking up a book on the subject, let alone actually learning anything about it. Why oh why oh why do so many apparently well intentioned folk want to prevent the nearest thing to evolution left to us? What is wrong with that ancient experience known as 'learning the hard way'? The only way either of the varieties of pillow-head I refer to above is ever any use to humanity is by the amusement they grant us in picking on each other. Don't stop it or they really *will* only be worth their compost value after they've been buried.
Strewth. Let me hereby wish long and happy lives to those who indulge in 'irresponsible' disclosure, and short communicationless existences to those who would prevent it.
Yours, The Bellboy.
PS I speak as someone who has not only laughed at folk for 'learning the hard way' but who has also laughed at himself for doing the same damn thing (admittedly at a *slightly* higher level of education) But the idea that people like me need to be cotton wool protected to prevent uncomfortable experiences due to their own stupidity is one of the few things that winds me up. There's a good few things I wouldn't have learnt if I hadn't been deliberately tripped up in the past. Do I resent it? Do I heck!
Now you really can say "my computer is just showing porn and I can't shut it off." Of course it'll probably be gay porn & screem "I'm looking at porn".
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
Eh, just push F5 and then click the back button.
Giant screen of "PWNED", hit CTRL + W. Huh. It closed. Just like it was supposed to.
Am I the only one who actually looked at the site in Opera?
Once you have nuked the java process, what is the keystroke to return back to the gui?
"Be grateful for what you have. You may never know when you may lose it."
...is holy shit. This exploit even works in opera, and with xinerama yet (it takes over both of my screens). Oh well, that was enough for me to just turn java off entirely.
TrendMicro Housecall sends over a signed applet. Of course, because it is signed, that prompts a dialogue as to whether you trust TrendMicro or not as a distributor and want to add it to your trusted certs list. It's strange that unsigned applets just get to launch without asking, and there seems to be no way to prevent them from doing so.
Any Java VM needs a similar warning for unsigned applets. Perhaps a whitelist feature, with all other sites applets either rejected, or subject to a user confirmation, as a per user setting.
No ideas about the Javascript version of the exploit though. Yikes!
--
Toro
1.Switch to another console by pressing Ctrl+Alt+Fn. 2.Use ps and grep to find out any process whose name contains "java". 3.Kill those processes. 4.Switch back to the original console.
I have rarely seen a page that has a useful Java applet on it; there are a few sad sites that have all navigation links done via Java applets (not JavaScript, but actual Java).
For all of us who don't play Java-based games in our browsers, do we really have any reason to have the Java plugin enabled?
really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher)
Negative. At least on one of MY computers (a machine which is running Sun Solaris), the so-called "trusted stripe", a gray bar on the bottom of the desktop, can not be covered by any application.
and cannot be closed by user (the wet dream of any web advertiser).
"kill -9" will assuredly close it.
On my Mozilla Firefox 2.0.0.6 with NoScript set to allow that website, the JavaScript version throws this exception:
uncaught exception: java.security.PrivilegedActionException: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException
The Java version works, but can still be beaten by going into a virtual console (or logging in from remote) and killing the java_vm process (which may crash firefox-bin too, bummer).
+5?
I have mod points but I just have to reply, even though this thread is old enough that nobody will read this.
Flash based websites? Nope. Flash is for movies, games and ads. I challenge you to name one "household" website that uses flash for anything other than this.
Ajax: Asynchronous JavaScript and XML. Ajax is not a language, it is a method for writing Javascript. Please, try to run any AJAX based website with noscript on. It won't work. I know this because I have Ajax on my website.
As for Silverlight, as a web developer, I think it is a pretty silly technology. I would use for the same things I use flash for, but Flash already does what I need faster. Maybe I just lack imagination.
weirdest thing I ever saw: scientology advertising on slashdot.
... and partly also here:
I really wonder what is making Nerds so selfish and ignorant to expect everyone to know any detail of the system that they are using that comments like "ctrl-w works, no big deal" are popping up like crazy. This is an issue and wether you like it or not - ppl are browsing with Java enabled - because the whole browser configuration is far beyond their horizon and it's difficult enough for a tech supporter to know all tricks and specialties of certain os and browser combinations.
All browsers (like almost all software) are still far to complex for Joe Averageuser and security issues like this explicitely proof that.
first I visited the link from /. - http://hackademix.net/2007/08/07/java-evil-popups - all I got was a background image, pie - quick look @ s/c got me this - http://evil.hackademix.net/fullscreen/applet.html
So I go there (and I do have Java installed), I get prompted that the site wants to install an ActiveX component, fine I says. Then IE says no, because it's not signed. Byes, I says.
Incidently, I lowered the sec perms of IE and got it to work, and sure it's an annoyance, that you kill your IE task to close it, but it's nothing more than an annoyance - which is the point of the popups I guess.
Interesting to see where this leads though.
"Even so, there is a bit more intentionality in downloading and executing a file and at least some users understand the danger involved." No, there's the same degree of intent involved in JWS, you get prompted with a clear warning of the issues. In fact, it's more information than you get with a traditional app.
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
This is why people need to learn to use ALT+F4 or CTRL+ALT+DEL Task Manager to kill tasks.
It will be very interesting to see how pop ups works.
I knew that some do count on trust or image to make money. But why people click the pop ups? Why people were not teach not to click on popups?
Educate the kids, educate the people.
Cannot be closed by the user? No such thing. Unless by "user" you mean "someone who doesn't know how to use their computer but is playing around on the Internet anyway".
The huge amount of extra typing one has to do to write it. The many problems with the type system, like arrays losing their type at runtime. The lack of operator overloading. All the memory requirements and slowness of a scripting language without any of the ease of coding. The terrible default GUI library. And more.
For extra credit, explain why Java Web Start is worse than downloading a traditional application and installing it...
Because the traditional application will be handled by your package manager; you know where to go to uninstall it, if you are doing some sort of testing on all programs before installing that will get done, if you're deploying it across a large organisation you can use your existing mechanisms to do so, rather than having to learn a new, java-only way of doing all this. Next?
I am trolling