Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Java Popup you Can't Stop

Posted by CmdrTaco on from the once-you-pop dept.

An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser). Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "

8 of 480 comments (clear)

  1. Re:Why? by mwvdlee · · Score: 4, Insightful

    You'd think so, but spam is apparently still worth the risk and effort too.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  2. Re:Don't spread this! by elrous0 · · Score: 4, Insightful

    Only promoting it and having it become a threat to them (i.e. lawsuits, users uninstalling Java on their systems, webpage designers moving away from it) will motivate them to fix the problem. If the threat is kept under wraps, they have no real motivation to move on it until phishers are already using it in the wild.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  3. Re:and the wet dream of any victim by aadvancedGIR · · Score: 4, Insightful

    The real wet dream of any victim would be to be able to disable java or any scriting technology in his browser and still be able to surf on most respectable sites.
    I don't want to be a ludite, but on 9 sites times out of 10 that require those technologies, there is very little benefit for the user.

  4. Re:An interesting markettign technique... by Anonymous+Brave+Guy · · Score: 5, Insightful

    If he were selling his software commercially, or people were being directed from the Slashdot front page to a page full of ads, then you might have a point, but that's not the case here. The guy has made an obviously useful tool, gives it away for free, and is warning about an obviously relevant threat. The most he's likely to get out of this is a few small donations or a few more page hits on his site, perhaps making enough to cover the server costs for hosting a popular Firefox extension for a while and a bit of beer money. I think your post is way over the top.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  5. Re:Interesting by Opportunist · · Score: 4, Insightful

    NO

    Ban them from going full screen unless I, the owner of the machine where it wants to go full screen, agree to applications having the right to go full screen.

    I don't care about signed code. I do care about my preferences!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Re:Why I love IE by AKAImBatman · · Score: 4, Insightful

    I had finally gotten tired of cleaning Java-based viruses off my machines

    I believe you mean JavaScript viruses (very common) not Java viruses (extremely rare). Javascript viruses tend to be mostly harmless (stuff like, a popup you can't close) and are generally overblown by virus software. That's why your autoprotect software wasn't catching it: It wasn't that important. And erasing the files from your browser's cache after the fact is not really helpful either. You're not really "infected" per se. (Though some of those JS files are vectors into bigger and badder viruses.)

    So when I hear stuff like this article, it's another reason I love IE. Dumping Java was the best move MS ever made on the browser.

    That has to be the worst reason in existence to use IE. If you don't want Java, don't install it. FireFox won't do it automatically, nor will Opera, nor will Safari. Sticking with IE because it doesn't install a JVM by default is nothing more than a false sense of security.

    parent rating: -1 FUD
    --
    Javascript + Nintendo DSi = DSiCade
  7. Re:Don't spread this! by LarsG · · Score: 4, Insightful

    You're setting up a false dichotomy, those are not the only two options available. In order to minimise the Window of Exposure, it is best to have it not blow up in media AND have it fixed as soon as possible.

    I'm all for letting security issues blow up in media if the software vendor ignores them, there's nothing like a little public shaming to make public companies get their act together security-wise. But as long as the software vendor fixes reported problems in a timely fashion, the only thing that is achieved by a media blow up before a patch is available is that more potential exploiters are made aware of the issue.

    --
    If J.K.R wrote Windows: Puteulanus fenestra mortalis!
  8. Re:Analysis of the "hack", or how sum of parts bre by jonathan3003 · · Score: 5, Insightful

    I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
    1. Validate applet size to be always significantly less than screen size
    2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.

    I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.

    Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.