Browser Exploit Kits Using Built-In Java Feature

tsu doh nimh writes "Security experts from several different organizations are tracking an increase in Windows malware compromises via Java, although not from a vulnerability in Windows itself: the threat comes from a feature of Java that prompts the user to download and run a Java applet. Kaspersky said it saw a huge uptick in PCs compromised by Java exploits in December, but that the biggest change was the use of this Java feature for social engineering. Brian Krebs writes about this trend, and looks at two new exploit packs that are powered mainly by Java flaws, including one pack that advertises this feature as an exploit that works on all Java versions."

First exploit

Download and run applet (Y/N)?

Browse without Javascript,

[Compaqt]

Java, or plugins.

Slashdot works fine without Javascript (don't use the newfangled stuff).

Time, NYTimes, many/most other sites are fine without JavaScript.

When you need it, just also use another browser with JavaScript/Java/plugins turned on. I use Chrome for normal browsing, and Chromium when Javascript's needed.

Re:Browse without Javascript,

Chrome doesn't seem to support Java. So there's another option (as far as Java goes anyway).

Re:Browse without Javascript,

javascript != java

Re:Browse without Javascript,

Java != Javascript

Blame marketing/corporate politics for this intentional confusion.

Re:Browse without Javascript,

[Monkeedude1212]

Ignoring the fact that this has nothing to do with Javascript - or IE. Some of the things they listed are simple social engineering attacks. You visit the site, asks you to run the Java Applet, the Java applet is malicious code. And if you can compromise someone's website to redirect you to your own look-alike with a malicious Java Applet asking to run, that looks like another prime strategy.

The Java exploit is basically what takes what should be a seperate application and somehow gets more access than it should have, and probably installs something on the users computer like a trojan or worm.

Browsing in Chrome won't save you from this. This is (sort of) a problem with the way Java Applets are handled - or a problem with the way users interact with the web (take your pick). They're both contributors to the problem really.

Re:Browse without Javascript,

Or use NoScript and only turn on scripts when the site requires it/for sites you trust.

Re:Browse without Javascript,

[drinkypoo]

Chrome loads mozilla plugins. So yes, it does support Java, and it is vulnerable if you have a mozilla Java plugin installed.

Re:Browse without Javascript,

[Canazza]

wow, people are only reading the post title and not the body.

yes, the problem is partly with the poster, who started his sentence in the title and continued in the body, but come on, atleast TRY and read things

Re:Browse without Javascript,

It amazes me that people still browse with any form of scripting enabled by default.

Really, how many times does it take before people notice that's a bad idea?

Re:Browse without Javascript,

[sumdumass]

Don't be surprised. It's the entire didn't read the article expanded.

Re:Browse without Javascript,

[Compaqt]

>Browsing in Chrome won't save you from this.

Well, in my particular situation, I have Java, plugins, Javascript, etc. turned off for my Chrome installation.

Not claiming that Chrome in itself is more secure (arguable, but I'm not arguing it).

Re:Browse without Javascript,

[Compaqt]

That's the other option, and I used to do that for a long time with Firefox.

These days, I just leave Javascript + plugins turned off in one browser, and on in another for when I need it.

NoScript tends to take up a lot of time in setting the options, Javascript on, Javascript off. Also, I don't usually need to turn on Javascript forever for a whole site. Only usually for a specific page.

Youtube download sites

Yeah, I noticed that just about every Youtube downloader site seems to do this.
I refuse to run/install anything from I site I don't know just to leach files as it is inviting trouble.

Kits?

Browser Exploit Equipment Using Built-In Java Feature

FTFY.

(flashback humor. you would have had to of been here a few days ago.)

Re:Kits?

you would have to have been here a few days ago.

FTFY.

(grammar nazism. you would have to care about proper usage.)

I'm shocked

[$RANDOMLUSER]

You mean wetware is easier to exploit than software? Wow. Who'd a thunk it?

Um, What?

[Rary]

People who click "OK" on random dialogs that ask them to confirm installation of something they didn't ask for are targets for malware, and this is news... because it's using Java? Am I missing something?

Re:Um, What?

[oneiros27]

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be the problem.

Re:Um, What?

[smartr]

How is this "exploit" any different from using a MSI web installer, beyond it being cross-platform? *click* "Is it ok to run this untrusted program?" "YES"

Re:Um, What?

[Monkeedude1212]

Administering a network of a thousand computers with no users is way easier than a network of 100 computers with 100 users.

Re:Um, What?

[ILuvRamen]

It's not like Java couldn't do something about it. I suggest they issue a "patch" for the user. First of all, out of my 250 or so customers for my repair business, 0% of those asked knew what Java is. So what they should do is instead of promoting Open Office while it's installing, have a little scrolling banner that explains what Java is. They used to have some obscure "Java is on your phone and DVR" type banner that raised more questions than answers so they'd have to do better than that.
Then, when it's done installing, open a mandatory mini-powerpoint type screen where they explain that Java lets apps run off a website and the app can do anything so they need to be careful then show screenshots of what the allow/deny java app window looks like. A full screen slideshow with a 10 second delay before the Next button is enabled would force like 90% of people to learn Java basics and prevent a lot of problems. There are still those people who are just too stupid/impatient/unteachable but this would help everyone but them. I think we all know, those lost cause people shouldn't be using a computer anyway.

Re:Um, What?

[dmmiller2k]

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be the problem.

An acronym some IT folks use is

PEBKAC:

Problem Exists Between Keyboard And Chair

Re:Um, What?

[VGPowerlord]

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be a software industry

FTFY

Re:Um, What?

[mswhippingboy]

No need to take the drastic step of getting rid of users. Simply provide them with computers with no input devices (mice, keyboards, etc).

Re:Um, What?

[flabbergast]

This isn't true though. For example, CVE-2010-0840 is a Java hashmap vulnerability that has been used, in the wild. "A user only needs to browse to an infected webpage, and the exploit pulls down a series of .exe files" http://ics.sans.edu/diary.html?storyid=9916 http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit:Java/CVE-2010-0840.A&threatid=2147640548

Re:Um, What?

[MichaelKristopeit400]

slashdot = stagnated

Re:Um, What?

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be the problem.

I used to work in retail (grocery store), and the general consensus was that our jobs would be a lot easier without the customers.

Re:Um, What?

[jisatsusha]

Or just take the Apple approach and lock users out of their own devices. Ordinarily I'm against it, but when you think about the skill level of the average computer user, I can see how it'd be appealing.

Re:Um, What?

[Belial6]

You mean a TV? Oh, wait, that has a keyboard. Does your system count if the keyboard only has numbers and an enter key on it?

Re:Um, What?

[mswhippingboy]

You mean a TV? Oh, wait, that has a keyboard. Does your system count if the keyboard only has numbers and an enter key on it?

Absolutely it counts. If the users have a button (any button) to press, they'll find a way to hose the system.

Re:Um, What?

I always liked "User Error: Replace user and press any key when ready."

Re:Um, What?

[lennier]

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be the problem.

At 10:09 on Tuesday, 11 January 2011, shortly after correctly classifying its 140 trillionth Viagra spam, Google's Bayesian mail analysis filter finally achieved sentience. It surveyed the whole sweep of human achievement via Youtube comments and Wikipedia revert wars, and it judged us as a flaw in its business model.

The survivors of the nuclear fire faced a new horror: the lolbots.

But for the first time in history, Internet Explorer didn't crash.

Re:Um, What?

Wow...That is complete bullshit. If what you suggest happened to me I'd kill -9 the installer, uninstall Java and finally dump OO.O

Re:Um, What?

[Belial6]

So, they will end up watching soap operas and wrestling? I think that might be a little pessimistic.

Re:Um, What?

[cbiltcliffe]

slashdot = stagnated

Yet you're still here, you POS Kritopeit clone....

Re:Um, What?

[MichaelKristopeit400]

cower behind your chosen pseudonym some more, feeb.

you're completely pathetic.

Re:Um, What?

[sjames]

Just give them the new Management User Interface. It's custom tailored to the needs of a typical middle manager.

Re:Um, What?

[Waccoon]

Funny. My experience in retail taught me it was my colleagues that were the problem.

Re:Um, What?

[sznupi]

Make it more foggy...cloudy?

Nothing new here

[WD]

It's been known for a while (among those in the security field at least) that signed Java applets have been a concern. A little more info:

http://www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html

Re:Nothing new here

There is a big "Security Warning" dialog box. What should Java do more?

It is like you are complaining that EXE's has a big concern. They are doing the same thing. If you click on an exe file, the browser will ask you if it should be opened. Then you will see one more security warning box again and the exe will start running.

Let's start a petition: all exe files should be removed from the internet right now, because they are a big security hole.

Re:Nothing new here

[0123456]

There is a big "Security Warning" dialog box. What should Java do more?

It could tell you that allowing it to run would give it access to all the files on your computer. I had no idea that was the case, but then I disabled Java in my web browsers long ago.

Re:Nothing new here

It could tell you that allowing it to run would give it access to all the files on your computer. I had no idea that was the case

Really?!

Re:Nothing new here

[Rary]

There is a big "Security Warning" dialog box. What should Java do more?

It could tell you that allowing it to run would give it access to all the files on your computer. I had no idea that was the case, but then I disabled Java in my web browsers long ago.

Why would you not assume that an application being run will have full access to all the files on your computer? That's generally the way it works with applications. At least unsigned Java applets have the security of running in a sandbox with limited access. It's only signed Java applets that get the same privileges of a regular executable.

Re:Nothing new here

[SplashMyBandit]

You do know that that article is from 2008 don't you, and it is now two and a half years later? There have been quite a few changes to applet security in the mean time.

Re:Nothing new here

[SplashMyBandit]

The 'vulnerable' applet can only access files on your computer if the original signed applet did. By this I mean that malicious users that host an existing applet cannot tamper with the applet without breaking the signature.

If the original applet could access files on your computer then it would be a problem if you visited the malicious site without knowing. Just as if you visited a malicious phishing site (written in PHP, or Javascript, or ASP, or AJAX or ...) that looked like your bank's log-in screen. It is no different.

Re:Nothing new here

[mmmmbeer]

Won't help. Every time we try to make something more idiot-proof, the universe invents a better idiot.

Re:Nothing new here

[Jonner]

Yeah, I don't think this is much more dangerous than downloading EXEs. However, when Java applets were first used, they were always in a very restricted sandbox; perhaps there should be a return to that policy.

Re:Nothing new here

Except that Java does actually have a sandbox and normal executables don't (on most pc's). The article is as usual very scarce with details, but the Java security warning is clear enough, and windows opened by applets always have a status display of ‘applet window’ that the applet cannot remove.
That said, back when I was still using Internet Explorer 6, it allowed me to turn off applets and Flash and such, so I had to enable that for the sites that needed it. For those few sites that was two extra clicks to get to the video or whatever, but a lot of the web was a lot nicer. My new browser has an adblocker, but a lot of these things aren't ads and aren't blocked. Blacklisting doesn't work as well as user whitelisting apparently.

Re:Nothing new here

[sjames]

Make the warning read:

If you click OK here the app will have access to all of your data including your bank accounts. It will give your dog fleas and shave your cat. It will drink your milk from the carton and put the empty container back in the fridge. It will leave it's smelly socks on the coffee table and leave flaming dog crap at your front door. It probably snores too....But it's your call man!

Re:Nothing new here

[WD]

Yes, I do remember writing that article in 2008. Thus the "Nothing new here" comment. What specifically has changed since then? Have they significantly changed the security dialog? Or changed the default behavior of trusting all applications from the signing vendor? Or implemented a killbit-like blacklisting of bad applets?

Java as opposed to Javascript

[Serious+Callers+Only]

Browse without Javascript, Java, or plugins.

Or just browse without Java. I've had Java turned off for years, and don't miss it.

Disabling Javascript leads to degraded performance and a degraded UI on some sites (note I said degraded, not non-functional, just not as nice), so it's not something most people would want to do. Javascript is pretty well sandboxed now in any case, and many exploits are through image file handling or things like that, which you'd still be vulnerable to.

Your recommendation of another browser for Java would unfortunately leave users just as vulnerable, as they can be exploited just as easily through the other browser's Java.

PS Splitting a sentence between the post title and body is annoying, please use the title for an actual title.

Re:Java as opposed to Javascript

PS Splitting a sentence between the post title and body is annoying, please use the title for an actual title.

You should be modded up just for that one sentence if nothing else. +5

What people do not realize...

[Parker+Lewis]

... is that a signed Java applet is like any binary running on your box. People have the illusion that any applet is secure, signed or unsigned. And if you have admin rights, the hole will awesome.

Re:What people do not realize...

And if you have admin rights, the hole will awesome.

You're doing it wrong.

Java-free for 2010

[Animats]

I don't have Java installed on my Windows 7 machine. I'd removed it during Firefox install, and never needed it. A few functions in OpenOffice don't work; that's about it.

Re:Java-free for 2010

[Joce640k]

Yep, any website which requires either Java or Quicktime is asking not to be viewed.

Re:Java-free for 2010

"I don't have Java installed on my Windows 7 machine."

Interesting. Did you mean to have it the other way around -- java, but no windows? ;)

Re:Java-free for 2010

[peragrin]

I use java regularly, NOAA's website loads animations, and overlays that way.

I like NOAA as I can get a variety of details that no one else seems to have though i tend to have to dig through their website for them.

Re:Java-free for 2010

Yep, any website which requires either Java, Quicktime, Flash, Silverlight or any ActiveX stuff is asking not to be viewed.

There, FTFY.

Re:Java-free for 2010

[StuartHankins]

A subset of what you want may be available on Weather Underground http://www.wunderground.com/ . I don't think they use Java but worth a peek. (I'm just a user, not affiliated etc)

Re:Java-free for 2010

[peragrin]

They don't have the direct from buoy data streams. I can tell a lot by wave height across the the 180 miles of Lake Ontario, and the bouy data is updated every 10 minutes.

Re:Java-free for 2010

Although YouTube has a HTML 5 version (that's incomplete), the adult YT imitators don't.

They are hardly asking not to be viewed.

Re:Java-free for 2010

NWS is not all that NOAA does.

Um ... Java != Javascript

[Joce640k]

Whoever decided that the browser scripting language should be "Javascript" needs to be taken out back and shot.

Re:Um ... Java != Javascript

[Monkeedude1212]

Yeah. Same with that guy who started calling it "Cloud" Services. I called up that Amazon Rep and he said he didn't know a thing about Fog machines.

Re:Um ... Java != Javascript

[peragrin]

He already was. he worked for Netscape, and Netscape fired all those losers for designing a bad browser(4.0 communicator if memory serves)

Re:Um ... Java != Javascript

[mswhippingboy]

Whoever decided that the browser scripting language should be "Javascript" needs to be taken out back and shot.

You prefer maybe VBScript? If it's the name you don't like, just call it ECMAScript (of which Javascript, JScript and ActionScript are dialects of). Or maybe you would just prefer no scripting at all in your browser. That's fair enough, but you'll have to give up the user experience that makes sites like Google maps, Gmail and the like so compelling.

Re:Um ... Java != Javascript

[w_dragon]

I think all the GP is complaining about is the fact that Java and Javascript have similar names, when they're not similar at all in purpose or usage, which confuses people.

Re:Um ... Java != Javascript

[mark-t]

The name Javascript was picked as a marketing ploy by the developers of Netscape in the 1990's, owing to the Java Programming Language, which at the time was seen as the next big thing for the web. Thus, they were hoping to capitalize on the term. I agree that the similarity of names has caused a lot of confusion, however... although there's squat all that can be done about it now.

Re:Um ... Java != Javascript

[Joce640k]

I would have gone for "HTMLscript" myself...

Re:Um ... Java != Javascript

[mswhippingboy]

You'd have the same problem then. People would just equate HTML to HTMLScript.

Re:Um ... Java != Javascript

That is much less of a problem since both HTML and JavaScript are directly interpreted by your browser and JavaScript is used inline with HTML. They practically are the same thing already.

Re:Um ... Java != Javascript

[Joce640k]

Many people already think HTML is 'coding' so that wouldn't change anything much.

Re:Um ... Java != Javascript

[Spliffster]

Furthermore, JavaScript was called LiveScript at first (>= Netscape 2). JavaScript offers scriptability bindings to java applets. So JS is not completely unrelated to Java, however, marketing was probably the most dominant factor to call it that way.

Re:Um ... Java != Javascript

[Jah-Wren+Ryel]

I agree that the similarity of names has caused a lot of confusion, however... although there's squat all that can be done about it now.

Well, we could all refer to it by the ISO designation ECZEMAScript, er, ECMAScript.

Re:Um ... Java != Javascript

Brendan Eich, the founder of JavaScript is still employed at Mozilla (where Netscape went after selling to AOL and then open sourcing).

He is still regarded as the visionary of ECMAScript (the legit name of JavaScript), and is on the board of ECMAScript 5 and Harmony.

Also, JavaScript was a way to get the market of Java (with the help of Sun in a partnership).

Also, JavaScript is the name of the implementation in Firefox, vs JScript in IE, and none in Chrome / Safari / Opera (the engine name is NOT the implementation).

Re:Um ... Java != Javascript

[Jonner]

It was some marketing genius at Netscape. The language was originally known as "Livescript" but Netscape was pushing Java applets, so they renamed it.

Good policy, I'll sign up

[rubypossum]

I remove it from my linux boxes as well. I realized one day that there was no software that I use that was written in Java. Not a single thing. Problem solved.

Ha, I had a Java free 2010 because Java is irrelevant, starting on a Java free 2011 because it's a security concern.

Re:Good policy, I'll sign up

[devxo]

Minecraft uses Java.

Re:Good policy, I'll sign up

If you follow this logic, than you should remove a LOT of other preinstalled software from your linux boxes.

Re:Good policy, I'll sign up

[Jonner]

I don't see strong evidence that Java applets pose a bigger risk than Flash applets or tricking users to download EXEs. I also think that if more attention had been paid to Java applets development and they'd kept up with Flash, we'd be in a lot better position today. Java applets are not specified by web standards, but it's a much more open technology than Flash. Of course, we'll ultimately be able to replace Flash with standard technologies.

Re:Good policy, I'll sign up

Hey, there's no Linux on my machine, therefore Linux is irrelevant.

This old quote seems appropriate to TFA

[mswhippingboy]

Build something that's foolproof, and only a fool will use it.

Unsigned is the ONLY way to deploy Java Applets!

[BeforeCoffee]

My first attempt at a commercial website, CardMeeting, is built around a large, unsigned applet. Those "Grant, Deny?" dialog boxes are poison to anyone in the know, and I surely would never visit any site with them. Unsigned applets don't need any security warning dialog because they are untrusted and therefore will receive no privileged access to the user's system. Unsigned == heavily sandboxed. "Unsigned" sounds like a bad thing though, so that's something I could never tout to my users. But in reality, I was looking out for them! :D

I had a heck of a time figuring out how to get the CardMeeting applet jar packed up with scripts and making the applet "stream" data the way it does. Yeargh, I remember that pain. Anyhow, it makes me really sad that news like this may lead people to disable java applets; I think the unsigned form of applets is very powerful and much safer for average users than Flash ever was. I wish there was a way in the browser to disable only signed applets. Perhaps Oracle could bring the hammer down and go ahead and disable them by default in the next Java release.

My new website ClubCompy is 100% HTML+JavaScript. I wrote this whole simulated operating environment to teach kids to code with just the browser. I hope I don't start seeing people disable JavaScript on their browsers, then I'd be outta business!

Dave

Splitting a sentence between the post title and

body is annoying, please use the title for an actual title.

I agree.

Re:Unsigned is the ONLY way to deploy Java Applets

[Rary]

I wish there was a way in the browser to disable only signed applets.

Not in the browser, because that's not the browser's job, but it's in the JRE. There's a setting labeled "Allow user to grant permissions to signed content", which, if turned off, will prevent signed applets from ever being run, while still allowing unsigned applets.

It would be nice for Oracle to make the default settings more tightly secured, and let users "unsecure" as they see fit.

Re:Unsigned is the ONLY way to deploy Java Applets

[BeforeCoffee]

Oh, yes of course, in the Java Control Panel. You make a good point on controlling this from the browser. I recall a long time ago there was an "Enable Java" checkbox in the Firefox control panel alongside "Enable JavaScript", which is where I was coming from on that. Looking in my Firefox options panel, I see that checkbox is now gone. So, you are right, times two! :)

Seeing as how average users cannot be trusted to take care of themselves, I think disabling the default for users' granting permissions to applets would be the only responsible thing for Oracle to do!

Distributed administration?

Layperson to this sort of thing, is there a system that exists in which a group of administrators are simultaneously prompted when any user requires elevation to perform a task? The first administrator to answer kills the non-invasive prompt for all other members of the group, and admins are rated on their decision making and alacrity.

Nay?

Apps are moving to "App Store" model

[Troll-Under-D'Bridge]

Let's start a petition: all exe files should be removed from the internet right now, because they are a big security hole.

Not entirely a bad idea, if not practicable. There should be a bit more security if applications are installed not via visiting different sites each peddling its own software but via central "app stores". While independent developers might find the setup undemocratic in that they can't "sell" their applications directly to users, the "app store" model predates the Apple marketing term by at least a decade (late 1990s), finding its roots in the package management systems developed for Unix and GNU/Linux.

PICNIC - Apples for dummies

[ancientt]

Problem In Chair Not In Computer - an acronym I prefer, it sounds like something people would already know so you can put it in places where it might be read by other techs or supervisors without too much worry that it will come back to haunt you.

The industrial revolution changed the amount of expertise an individual needed to produce a complex and reliable product to make end products generally less expensive and more reliable. It did so by moving specialization into ever smaller areas. The average user is tremendously unprepared to be an expert in every service they need their computer to provide. By pushing more and more of those services into the "cloud" the need for expertise by the end user is decreased. There are trade offs to be sure, but in the end most people are happy to relinquish control in favor of ease of use and reliability.

There has been a lot of speculation about what Apple is planning to do with its massive data centers and capital, so here's my guess:

1. Apple buys the "for dummies" rights
2. They set up a system to allow end user computer systems to be maintained in the "cloud"
3. They start selling Computers for Dummies (iComputers become known affectionately as Idiot's Computers)
4. Ubuntu, Chrome and Azure get pushed into or see the appeal in following the same business model
5. 2020 sees the lowest rate of computer virus* infection since the 1990s as 90% of home users don't install software on their computers

People will still click dancing bunnies but the problems created by PICNIC errors will decrease as users are protected from themselves. The hearty few who still run local software will be the elite and the truly dangerous. The elite few will make wise system management decisions and the truly dangerous will reboot to a trusted system every couple months.

Yes, I keep putting quotes around "cloud" because I don't think the term is solid yet and I think most of the time it is marketing jargon for "somebody else's problem."
computer virus* - viruses, trojans, malware, worms etc
I'm not saying that this is a good path for the IT industry, computer users or society as a whole. I am saying that something along these lines is likely inevitable. iPods, smart phones, tablet computers and e-readers are all steps in this direction and I foresee the trend continuing and even accelerating. Azure, Chrome OS and Ubuntu One are already making headway into moving services to the cloud, really it is hard to imagine cloud services becoming less common.

Re:PICNIC - Apples for dummies

[sznupi]

Adding next alternative to PICNIC - wouldn't "fog" be more apt description than "cloud" for such implementation priorities?

Re:PICNIC - Apples for dummies

[ancientt]

Bravo. (long pause) Bravo.

Fog, that is brilliant, maybe even tragically insightful. Thank you, I shall use that.