Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Java Popup you Can't Stop

Posted by CmdrTaco on from the once-you-pop dept.

An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser). Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "

25 of 480 comments (clear)

  1. NoScript, but they don't work by morgan_greywolf · · Score: 4, Informative

    In the meanwhile, NoScriptis your friend


    As always, with script-related security flaws, the easiest solution is NoScript, of course.

    However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.

    --
    My blog
    1. Re:NoScript, but they don't work by Luscious868 · · Score: 4, Informative

      However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.

      It worked on my XP system and covered everything but the Start Menu and Task Bar. Getting it to close was simply a matter of right clicking on Firefox in the Task Bar and closing it down. It's certainly an annoyance, but it's not as bad as the article makes it seem to be. Anybody with a brain (which admittedly excludes about 60% of the population) can figure out how to close Firefox and thus the Java App.

    2. Re:NoScript, but they don't work by LiquidCoooled · · Score: 4, Informative

      Actually, it was a bit worse (for some reason on mine)

      The start bar went behind the app, bringing up task manager and shutting down the app wasn't as easy as you would think because the java app eats focus and makes clicking the "End Process" and the Warning message difficult.

      I managed it after a few mistypes and jabs at the button.

      Its possible to close it, but it doesn't play nice at all.

      --
      liqbase :: faster than paper
  2. Firefox by CogDissident · · Score: 2, Informative

    I have the newest version of firefox (vanilla, no extensions, only a few custom settings to increase speed) and his demo completely didn't work on my computer...

  3. move along, nothing to see here. by jsldub · · Score: 2, Informative

    You can still use firefox to keep popups contained in tabbed browsing, and prevent window resizing. Not-news, move along.

    1. Re:move along, nothing to see here. by teknikl · · Score: 2, Informative

      right -- the pop-up worked for me but came up as a distinct tab on only one of my two monitors... fairly simple to spot and close.

  4. Silly article by Glock27 · · Score: 2, Informative
    Under MacOS, the dock and top bar are still visible, and it's trivial to kill the browser.

    There's virtually no chance anyone would be fooled into doing anything but killing their browser, and Java is by no means alone in causing that kind of issue.

    Nothing to see here, move along...

    --
    Galileo: "The Earth revolves around the Sun!"
    Score: -1 100% Flamebait
    1. Re:Silly article by Anonymous Coward · · Score: 1, Informative

      And in fact, it was unable to set itself on top; this came out in the console.log:

      java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
              at java.security.AccessControlContext.checkPermission (AccessControlContext.java:264)
              at java.security.AccessController.checkPermission(Acc essController.java:427)
              at java.lang.SecurityManager.checkPermission(Security Manager.java:532)
              at java.awt.Window.setAlwaysOnTop(Window.java:1358)
              at FullScreen.start(FullScreen.java:30)
              at sun.applet.AppletPanel.run(AppletPanel.java:418)
              at java.lang.Thread.run(Thread.java:613)

  5. Re:Why? by Von+Helmet · · Score: 3, Informative

    Indeed. That sort of thing usually doesn't end well. Ask the guys behind X10 for example.

  6. Re:Doesn't work.. by gEvil+(beta) · · Score: 3, Informative

    That might be why the author wrote "In the meanwhile, NoScript is your friend ;)" in his blog.

    --
    This guy's the limit!
  7. Re:Remind me: Why do we have applets again? by SQLGuru · · Score: 4, Informative

    1. Yahoo.com

    Done.

    Yahoo uses Java for many of their online games. You might not play them, but a lot of people do. And that "lot of people" will probably leave Java enabled and be victim to this crap.

    Layne

  8. Re:Obvious solution? by badfish99 · · Score: 4, Informative

    From a quick look at the code, the bug seems to be that you can resize the popup to be bigger than the screen size. So the warning disappears off the bottom of the screen.

  9. Firefox (and Proxomitron) by Potor · · Score: 2, Informative

    yeah, is this a joke? i tried disabling everything i could think of while keeping java enabled - nothing.

    btw, i am a dedicated proxomitron user (disabled for a moment to try the demo). never see any ads or pop-ups ...

  10. Re:Don't spread this! by jimstapleton · · Score: 1, Informative

    Actually, I've seen it a few times. I just downloaded NoScript so I can limit it to the pages wehre I need it. Kinda wish I had downloaded this one sooner.

    --
    34486853790
    Connection too slow for X forwarding? Try "ssh -CX user@host"
  11. Adblock works, too by gpinzone · · Score: 2, Informative

    Putting http://evil.hackademix.net/fullscreen/FullScreen.c lass in AdBlock Plus' kill list worked like a charm. Make a generic kill for *.class and *.jar and then whitelist the sites that need java.

  12. Analysis of the "hack", or how sum of parts breaks by mritunjai · · Score: 5, Informative

    Would like to share some specifics. Disassembled the bytecode using javap and used my rusty JRE assembler 'skillz' to understand it, but well, since he seems to have compiled it with full debug options, any idiot can find it ut by staring at the output for a sec.

    1. It doesn't use any "go fullscreen" API
    2. It's a failure of assuming sum of parts of software is as secure is as its components. It can be "less" secure than any of the component taken in isolation. Point in case is the set of APIs used:

    a) Toolkit.getScreenSize(): Used to find size of desktop. Nothing evil here
    b) Window.setBounds(): Used to set size of window. Nothing evil, except set it larger than screen size, hence hiding the applet warning by moving it "off screen"
    c) Window.setAlwaysOnTop(): Used to set the window on top. Essential for displaying "Modal" dialog boxed like error boxes. Nothing sinister here.

    However, the shit happens because all the things taken together can be dangerous. Specially, passing "System Modal" to setAlwaysOnTop().

    I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-

    1. Validate applet size to be always significantly less than screen size
    2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.

    Any more ideas shall be appreciated.

    Oh, and I again despise him for an irresponsible disclosure and presenting the hack in easily reverse engineered, fully functional code.

    --
    - mritunjai
  13. Re:and the wet dream of any victim by Ash+Vince · · Score: 2, Informative

    It would have worked if you were British.

    Gerald Ratner is the head of Ratners, a jewelers here in GB.

    Gerald made some comment to the press about not understanding why anyone would buy the crap his shops sold as it was all second rate, tasteless junk (It is, he was being honest). Aparrently there was some outcry over this when the great unwashed who actually bought crap from his shops realised they were being ripped off.

    (Disclaimer - I have not been into a Ratners in at least 20 years and have no intention of doing so, ever)

    --
    I dont read /. to RTFA, I read /. to offend people in ignorance.
  14. Re:Obvious solution? by Anonymous Coward · · Score: 1, Informative

    Then it's a non issue on Unix-Boxen: by holding the alt-key you can drag windows without having a visible border. At least on usual window managers, that is.

  15. To stop this technique, just.... by JRHodel · · Score: 2, Informative

    In Firefox, click on Options > Content and uncheck the Java Enabled checkbox. Then click on OK, and you're safe...

    --
    Think of the Irony!
  16. Re:Don't spread this! by BrokenHalo · · Score: 4, Informative

    I haven't had that in years and don't miss a damn thing.

    Maybe you don't do any banking on the internet, then. Here in Australia, at least, it is quite common for banks to use Java in an attempt to make their products cross platforms politely. And I, for one, welc... am perfectly happy with that, since I spent many years (once I had got over some of my luddite tendencies) whining about those who coded only for Winbloze boxes.

    I haven't found many other sites that go in for Java in such a big way, but if I came across one that loaded a popup like that, I would simply blacklist it permanently in my hosts file. It simply doesn't pay the advertiser to piss people off that much.

  17. Re:and the wet dream of any victim by Clandestine_Blaze · · Score: 4, Informative

    A distinction should be made between a website that can't function without client-side scripting, and websites that use it to support various functions but can work without it.

    For instance, the multi-level menus on a website should not be the only means of browsing its pages. In fact, if the user were to turn off all of their scripting for their browser, the website should function minimally. Even with Gmail, you could change the site options to "basic HTML", which is found on the bottom of the page.

    How about banking websites where you try to pay your bill and want to input the date? Most sites currently have a calendar pop-up for you to display a slick interface. But one should still be able to manually enter in a date that conforms to how the date is stored. (Or use server-side validation & conversion.) Again, inputting a date should not depend on a client-side calendar function since quite a few users use browsers that do not have any client-side scripting functionality.

    I agree with your point that a lot of the sites we commonly use have features that depend on client-side scripting, but the website itself should still function if you choose to turn off the functionality on the browser level, and that is what the parent was talking about if I understood their point correctly.

    --
    Best "String" Ever!
  18. Re:Who'd have thought it? by BobPaul · · Score: 2, Informative

    The Javascript launched one can't be closed by clicking. You have to alt+tab to the main browser window and click the close link. That said, I didn't get the Javascript launched one working on my GNU/Linux box, just the windows machine at work.

  19. Re:Who'd have thought it? by BobPaul · · Score: 2, Informative

    AFAIK, both of these require JAVA in order to work. One of the demos is launched by a JAVA applet and the other is launched by a JAVASCRIPT function of some sort, but I believe the full screen window that appears is JAVA regardless of which you use. I come to that conclusion because on WinXP, (where the Javascript launched one works) the Java icon appears as the icon when I Alt+Tab and because both of these use LiveConnect, according to the Maone's website, which is a technology that allows interoperability between Java and Javascript.

    Also, on the "Applet" page, it says "Works in any Java-enabled browser" whereas the "Javascript" page states it works only if both "Java and JavaScript are enabled"

    Note that the link for the Javascript launched method is broken. You have to add the l to html. Here's a direct link. Remember, alt tab to close.

  20. Re:Why I love IE by AKAImBatman · · Score: 3, Informative

    Well, there are a couple of things about CWS:

    1. It merely used the JVM as a vector to install itself. As a virus, it was actually a Windows program and was reported as such by all virus tools in existence. Thus the original poster would not have known it as a "Java virus".

    2. There are actually a wide variety of CWS variants. Some of them used the JVM vulnerability while others used other system vulnerabilities like a hole in the Windows Meta File.

    3. As another poster pointed out, it was a hole in Microsoft's VM that was exploited. Which would seem to be further evidence for moving away from IE.

    --
    Javascript + Nintendo DSi = DSiCade
  21. Re:Don't spread this! by ajs · · Score: 2, Informative

    Information is meant to be FREEEEEEEEEEEEEEEEEEE! Are we still confused about this phrase? I thought that was so 1990s....

    Once again for those in the cheap seats: "information wants to be free" is roughly equivalent to the statement, "a gas wants to expand to fill its container." It's not wishful thinking. It's not a political statement. It's not an assertion of an ethical point of view. It's just a fairly easily demonstrated fact that no matter how hard you work to contain information (and arguably as a RESULT of how hard you work at it), said information will "seek" ways to be communicated to the widest possible audience.

    Of course, this is an anthropomorphization of what is more in the realm of math or physics. It's just a simplification for the masses.