The Java Popup you Can't Stop

An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser). Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "

and the wet dream of any victim

[Raleel]

is to get their phone number, call them up, and inform them that they will never buy/use whatever it is they are selling, and will be telling 25 of their closest friends in person because of this practice. Certainly, you aren't limited to 25, but that is the old saying.

Re:and the wet dream of any victim

[aadvancedGIR]

The real wet dream of any victim would be to be able to disable java or any scriting technology in his browser and still be able to surf on most respectable sites.
I don't want to be a ludite, but on 9 sites times out of 10 that require those technologies, there is very little benefit for the user.

Re:and the wet dream of any victim

[secPM_MS]

I have to agree. I just returned from BlackHat and DefCon. Before I went I had tended to view "Web 2.0" as "Cross Site Scripting as a Feature". My view is now more negative and bleak. The combination of cross site scripting, cross site request forgery, DNS poisioning / anti pinning, and active content on the user's browser's is exceptionally powerful. There were a number of attacks discussed that were very serious. Since these vulnerabilities are server driven, there is essentially nothing that the user can do to protect themselves other than to block the functionality. Unfortunately, the state of the art in server deployments is very bad, not only do web masters deploy a lot of vulnerable web apps, but lots of web servers are compromised by attackers for the purpose of spreading their malware.

The smart web is the dangerous web -- the smarts are all too likely to be out to get you.

As for me, with a few exceptions, if a web site needs lots of scripting to make it work, I don't need it or use it.

Windows/Microsoft Update is in my trusted site zone

I use Firefox with noscript to enable only what I need for mapping functionality

Otherwise, Java, javascript, flash, multimedia, are all off.

Re:Why?

[mwvdlee]

You'd think so, but spam is apparently still worth the risk and effort too.

Re:Don't spread this!

[elrous0]

Only promoting it and having it become a threat to them (i.e. lawsuits, users uninstalling Java on their systems, webpage designers moving away from it) will motivate them to fix the problem. If the threat is kept under wraps, they have no real motivation to move on it until phishers are already using it in the wild.

Re:An interesting markettign technique...

[Anonymous+Brave+Guy]

If he were selling his software commercially, or people were being directed from the Slashdot front page to a page full of ads, then you might have a point, but that's not the case here. The guy has made an obviously useful tool, gives it away for free, and is warning about an obviously relevant threat. The most he's likely to get out of this is a few small donations or a few more page hits on his site, perhaps making enough to cover the server costs for hosting a popular Firefox extension for a while and a bit of beer money. I think your post is way over the top.

Re:NoScript, but they don't work

[kent_eh]

Getting it to close was simply a matter of right clicking on Firefox in the Task Bar and closing it down. It's certainly an annoyance, but it's not as bad as the article makes it seem to be. Anybody with a brain (which admittedly excludes about 60% of the population) can figure out how to close Firefox and thus the Java App.

In my experience the vast majority of windows users don't right click on anything, unless they have been specifically instructed to.

And they certainly don't intuitively know that they can right click on task bar icons to do anything, let alone close the app.
For most regular users (no doubt the intended target of the sort of sleeze who would use this for advertising and other nefarious purposes)there is only one way to shut down an app, and that's the rex X in the top right corner.

Re:Interesting

[Opportunist]

NO

Ban them from going full screen unless I, the owner of the machine where it wants to go full screen, agree to applications having the right to go full screen.

I don't care about signed code. I do care about my preferences!

Re:Don't spread this!

[LarsG]

True, full disclosure is needed as the ultimate Damocles sword to force companies to fix problems. If Sun acts slowly on this one, I'm all in favour of plastering it all over the front page of the WSJ.

Sun was made aware of this problem 10 days ago, and nothing seems to suggest that they don't take the issue seriously. The time it takes them to write a fix, do regression testing and push a patch out the door will likely not change due to this story reaching the /. frontpage or not. The only thing that will change is the number of people that are made aware of the issue before the fix is available, and in consequence the number of phishers/spammers/etc that have the opportunity to exploit it. That is, increasing the Window of Exposure

Re:Why I love IE

[AKAImBatman]

I had finally gotten tired of cleaning Java-based viruses off my machines

I believe you mean JavaScript viruses (very common) not Java viruses (extremely rare). Javascript viruses tend to be mostly harmless (stuff like, a popup you can't close) and are generally overblown by virus software. That's why your autoprotect software wasn't catching it: It wasn't that important. And erasing the files from your browser's cache after the fact is not really helpful either. You're not really "infected" per se. (Though some of those JS files are vectors into bigger and badder viruses.)

So when I hear stuff like this article, it's another reason I love IE. Dumping Java was the best move MS ever made on the browser.

That has to be the worst reason in existence to use IE. If you don't want Java, don't install it. FireFox won't do it automatically, nor will Opera, nor will Safari. Sticking with IE because it doesn't install a JVM by default is nothing more than a false sense of security.

parent rating: -1 FUD

Re:Don't spread this!

[LarsG]

You're setting up a false dichotomy, those are not the only two options available. In order to minimise the Window of Exposure, it is best to have it not blow up in media AND have it fixed as soon as possible.

I'm all for letting security issues blow up in media if the software vendor ignores them, there's nothing like a little public shaming to make public companies get their act together security-wise. But as long as the software vendor fixes reported problems in a timely fashion, the only thing that is achieved by a media blow up before a patch is available is that more potential exploiters are made aware of the issue.

Re:Analysis of the "hack", or how sum of parts bre

[jonathan3003]

I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.

I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.

Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.

Re:Don't spread this!

[JM78]

HA! but N00bs will click on stuff, SO WHAT, their computer will still not be infected...

You're right, N00bs WILL click on stuff. You've missed the point. There are plenty of ways to take advantage of people on the net without infecting their machine with a local virus. Not to mention that not everyone knows how to use CTL/ALT/DELETE and end processes (cause N00bs really need to be screwing with the task manager... riiight). EVERYONE is a N00b at some point - which leads me to my next point...

1. They deserve whatever they get.

That's an ignorant and callous statement. Just because someone focuses their learning on a subject other than computers/networking doesn't mean they deserve to get screwed. I hope your wife/grandma/parents/friends/yourself end up getting taken - maybe then you'll have a little respect for those who have other interests in life than learning everything there is to know about tech.

2. I'm pretty sure their computers (presuming they deserve to be called that) are already turned into spam zombies

So be part of the solution and help educate rather than whine about how dumb everyone else is. The worst kind of geek is the one who thinks somehow they're super-human and everyone else is dumb. Did you get beaten up by too many jocks in school?

Re:Don't spread this!

[Paperkirin]

All the online banking systems I've used in the UK are also (X)HTML and JS over SSH. Methinks the Australian banks might have over-thought this one a little too much...