Slashdot Mirror
The Java Popup you Can't Stop
An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser).
Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "
For the love of all that is holy, please don't promote this story to the /. frontpage. The less advertisers that are made aware of this the better.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
There are people who still browse with java switched on?! That is SO 1990's.
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
is to get their phone number, call them up, and inform them that they will never buy/use whatever it is they are selling, and will be telling 25 of their closest friends in person because of this practice. Certainly, you aren't limited to 25, but that is the old saying.
-- Who is the bigger fool? The fool or the fool who follows him? --
this is a real slashdot article, and not some clever cross site full screen javascript faux article out to steal my cookies, hmmm? if i hit submit i might-
oh shit
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
As always, with script-related security flaws, the easiest solution is NoScript, of course.
However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.
My blog
I have the newest version of firefox (vanilla, no extensions, only a few custom settings to increase speed) and his demo completely didn't work on my computer...
yes, but who would want their product to become associated with what would quickly become the most annoying ad basis ever invented?
You can still use firefox to keep popups contained in tabbed browsing, and prevent window resizing. Not-news, move along.
So...did I miss something? But winkey and ctrl alt delete did fine for me. Still, I *am* impressed...it just seemed to be billed as more than it was. Or is the joke on me for clicking the link in the first place? ::runs away to sign up for lifelock::
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
There's virtually no chance anyone would be fooled into doing anything but killing their browser, and Java is by no means alone in causing that kind of issue.
Nothing to see here, move along...
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
No, I'm not talking about advertising via popups, I'm talking about Giorgio Maone's method of pushing NoScript. Whatever next? McAfee will release a super virus that only their product will stop? Or Microsoft start releasing IE exploits and paid-for patches?
I already use NoScript, but this sort of behaviour doesn't enamour me to the lead author.
I'd really like to see counter methods posted as (special) comments under articles like these. "Links to: How to prevent this". It would be really nice if we could use our mod points to "mark" a comment as a solution that an administrator could then move it to the top. Why the administrator involvement? Simple, to prevent the teams of people who go around and exploit this type of function on Yahoo. This would still allow Slashdot to work off the same random moderator point system it has while keeping some semblance of order. They could play around with how many mod points a comment needs before it can before an admin is notified.
Just a thought.
Why is that? What is "worse" about it than Ecmascript?
For extra credit, explain why Java Web Start is worse than downloading a traditional application and installing it...
Lemmings...gotta love 'em.
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
FF on Ubuntu 7.04 using Sun's Java (1.5 I believe). The Java one works wonderfully(?) not only filling my full dual monitor setup, but preventing me from clearing it using any method I tried, including hitting the hotkey to change Gnome workspaces. The only thing that did work was switching to a virtual console at which point I could kill firefox-bin.
No need to worry folks, us handful of BeOS users will switch off the lights and the internet on our way out, since we'll be the last ones to leave. Every now and then I'm actually relieved to be running a non mainstream OS.
Revolution = Evolution
If marketing clowns are allowed to do this to my PC, or more to the point, the PCs of people who DON'T know what to do to secure their PCs, I think DoS attacks on individuals or companies that engage in this behavior should be perfectly legal. It amounts to the same thing, really. You interrupt my ability to conduct my business, and I will return the favor...
Seriously, name me one "house-hold" name website that uses Java applets anyway. Can't we just have it switched off by default? I like Java as a broad technology, but I'm finding applets increasingly irrelevant - interactive rich sites are being taken over by flash, ajax, and the probably-to-be-mainstream-soon Silverlight/Moonlight.
This isn't a flame....Java on the desktop is awesome and I love it.
*runs to the hills*
throw new NoSignatureException();
That might be why the author wrote "In the meanwhile, NoScript is your friend ;)" in his blog.
This guy's the limit!
The bug was filed on 29 JUL
Fixed.
- mritunjai
The whole point of Java was that it was super-sandboxed when running applets and you could enable it for all sites. To prevent phishing, any windows created by a Java applet would have to show 'Warning: Applet window' and a big red border or something like that. I wonder what went wrong to allow this attack, and whether it has been in Java since the beginning (i.e. would work even with Netscape 2.0) or takes advantage of some recently added kewl feature that forgot to do sandboxing properly.
-- Ed Avis ed@membled.com
This Java discovery will lead to the following:
1. Java Popups 1.0
2. Java Popups on Struts
3. Java Popups 1.1. (Not compatible with 1.0 or struts, needs a patch to SunOS to work)
4. JPEE. (Java Popups, Enterprise Edition- Not compatible with 1.1)
5. Java Popups for Mobile Devices.
6. Java Popups for Mobile Devices, Enterprise Edition.
HA, and you thought that Java was going to make this easy for Phishers and Advertizers.
This, of course, assumes that you allow Java to run without asking first.
If you, like me, don't allow Java or any other plug-in to run without the browser first asking you if it is OK to run, and if you don't allow plug-ins to run without having a VERY CLEAR idea of where they are coming from and what they will do, and do not run any such plug-in save from a VERY trusted source, then this will be very hard for an advertiser to exploit.
All the more reason why ALL plug-ins should be "user interaction required before use" BY DEFAULT.
www.eFax.com are spammers
From a quick look at the code, the bug seems to be that you can resize the popup to be bigger than the screen size. So the warning disappears off the bottom of the screen.
yeah, is this a joke? i tried disabling everything i could think of while keeping java enabled - nothing.
btw, i am a dedicated proxomitron user (disabled for a moment to try the demo). never see any ads or pop-ups ...
"Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop and cannot be closed by user"
Thing #397 That You Can Do In Linux But Can't In Other Popular Desktop OS's:
1. Ctrl+Atl+F1
2. Log In
3. missile-launch -f --target-from-process java
4. killall java
4a. killall firefox-bin (if necessary)
Actually this story is strangely coincidental; just a few minutes ago, I was trying to show a coworker a cool graphical demo of different sorting algorithm efficiencies, but I didn't have the Java plugin installed. Still don't.
"Software is like sex; it's better when it's free." -Linus Torvalds
Putting http://evil.hackademix.net/fullscreen/FullScreen.c lass in AdBlock Plus' kill list worked like a charm. Make a generic kill for *.class and *.jar and then whitelist the sites that need java.
Popups, Wet Dreams, and no napkins. What a mess.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
The one sure way to endear me to a product and cause me to whip out my credit card is to pop up a window over my entire screen that I cannot remove. This type of "in your face" advertising is exactly what reluctant consumers like myself need.
FAQs are evil.
NO
Ban them from going full screen unless I, the owner of the machine where it wants to go full screen, agree to applications having the right to go full screen.
I don't care about signed code. I do care about my preferences!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I have Flashblock. Is there a Javablock? I'm surprised advertisers don't use Java more often. Java is one of those things that I would probably want to enable manually anyway, there's no need for it to be on all the time.
Would like to share some specifics. Disassembled the bytecode using javap and used my rusty JRE assembler 'skillz' to understand it, but well, since he seems to have compiled it with full debug options, any idiot can find it ut by staring at the output for a sec.
1. It doesn't use any "go fullscreen" API
2. It's a failure of assuming sum of parts of software is as secure is as its components. It can be "less" secure than any of the component taken in isolation. Point in case is the set of APIs used:
a) Toolkit.getScreenSize(): Used to find size of desktop. Nothing evil here
b) Window.setBounds(): Used to set size of window. Nothing evil, except set it larger than screen size, hence hiding the applet warning by moving it "off screen"
c) Window.setAlwaysOnTop(): Used to set the window on top. Essential for displaying "Modal" dialog boxed like error boxes. Nothing sinister here.
However, the shit happens because all the things taken together can be dangerous. Specially, passing "System Modal" to setAlwaysOnTop().
I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.
Any more ideas shall be appreciated.
Oh, and I again despise him for an irresponsible disclosure and presenting the hack in easily reverse engineered, fully functional code.
- mritunjai
Iceweasel 2.0.0.6 seems to stop it with the 'Warn me when sites try to install add-ons' option enabled, even if I have Java enabled.
accept no limits but time
Is having a full screen window in java any different from having a full screen window in Flash? If so, wouldn't it just be as easy to use Flah, since it is likely installed on more systems than Java is.
Jumpstart the tartan drive.
Pringles has been doing this for years. They are the original pop you can't stop
If an officer ever threatens to taze you, say you have a pacemaker.
When you pop Pringles you get chips... not cookies.
I believe you mean JavaScript viruses (very common) not Java viruses (extremely rare). Javascript viruses tend to be mostly harmless (stuff like, a popup you can't close) and are generally overblown by virus software. That's why your autoprotect software wasn't catching it: It wasn't that important. And erasing the files from your browser's cache after the fact is not really helpful either. You're not really "infected" per se. (Though some of those JS files are vectors into bigger and badder viruses.)
That has to be the worst reason in existence to use IE. If you don't want Java, don't install it. FireFox won't do it automatically, nor will Opera, nor will Safari. Sticking with IE because it doesn't install a JVM by default is nothing more than a false sense of security.
parent rating: -1 FUD
Javascript + Nintendo DSi = DSiCade
In Firefox, click on Options > Content and uncheck the Java Enabled checkbox. Then click on OK, and you're safe...
Think of the Irony!
I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.
I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.
Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.
That was quite possibly the finest example of elitist, childish, trolling bullshit I have read under this story so far.
occultae nullus est respectus musicae - originally a Greek proverb
I'm running a default 1.5.0_07 build on PPC OS X, with the MRJ plugin for Firefox, and I was watching the Java console when I tried his sample evil popup; I've put the stack trace below, but the gist is that
n (AccessControlContext.java:264)c essController.java:427)y Manager.java:532)6 )
java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
it wouldn't let the window be always on top, and indeed it wasn't; I could use my desktop and other apps pretty normally. This isn't the default security policy?
~Jesse
Wed Aug 08 11:57:08 EDT 2007 JEP creating applet FullScreen (http://evil.hackademix.net/fullscreen/classes/)
java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
at java.security.AccessControlContext.checkPermissio
at java.security.AccessController.checkPermission(Ac
at java.lang.SecurityManager.checkPermission(Securit
at java.awt.Window.setAlwaysOnTop(Window.java:1358)
at FullScreen.start(FullScreen.java:30)
at sun.applet.AppletPanel.run(AppletPanel.java:418)
at jep.AppletFramePanel.run(AppletFramePanel.java:17
at java.lang.Thread.run(Thread.java:613)
Well, there are a couple of things about CWS:
1. It merely used the JVM as a vector to install itself. As a virus, it was actually a Windows program and was reported as such by all virus tools in existence. Thus the original poster would not have known it as a "Java virus".
2. There are actually a wide variety of CWS variants. Some of them used the JVM vulnerability while others used other system vulnerabilities like a hole in the Windows Meta File.
3. As another poster pointed out, it was a hole in Microsoft's VM that was exploited. Which would seem to be further evidence for moving away from IE.
Javascript + Nintendo DSi = DSiCade