Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser Exploit Kits Using Built-In Java Feature

Posted by kdawson on from the corruptable-cuppa dept.

tsu doh nimh writes "Security experts from several different organizations are tracking an increase in Windows malware compromises via Java, although not from a vulnerability in Windows itself: the threat comes from a feature of Java that prompts the user to download and run a Java applet. Kaspersky said it saw a huge uptick in PCs compromised by Java exploits in December, but that the biggest change was the use of this Java feature for social engineering. Brian Krebs writes about this trend, and looks at two new exploit packs that are powered mainly by Java flaws, including one pack that advertises this feature as an exploit that works on all Java versions."

23 of 96 comments (clear)

  1. First exploit by Anonymous Coward · · Score: 2, Funny

    Download and run applet (Y/N)?

  2. Um, What? by Rary · · Score: 5, Insightful

    People who click "OK" on random dialogs that ask them to confirm installation of something they didn't ask for are targets for malware, and this is news... because it's using Java? Am I missing something?

    --

    "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

    1. Re:Um, What? by oneiros27 · · Score: 5, Funny

      It's not Java that's the security problem ... it's the user sitting at the machine.

      If you got rid of them, there wouldn't be the problem.

      --
      Build it, and they will come^Hplain.
    2. Re:Um, What? by Monkeedude1212 · · Score: 3, Insightful

      Administering a network of a thousand computers with no users is way easier than a network of 100 computers with 100 users.

    3. Re:Um, What? by mswhippingboy · · Score: 2

      You mean a TV? Oh, wait, that has a keyboard. Does your system count if the keyboard only has numbers and an enter key on it?

      Absolutely it counts. If the users have a button (any button) to press, they'll find a way to hose the system.

      --
      Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
    4. Re:Um, What? by lennier · · Score: 2

      It's not Java that's the security problem ... it's the user sitting at the machine.

      If you got rid of them, there wouldn't be the problem.

      At 10:09 on Tuesday, 11 January 2011, shortly after correctly classifying its 140 trillionth Viagra spam, Google's Bayesian mail analysis filter finally achieved sentience. It surveyed the whole sweep of human achievement via Youtube comments and Wikipedia revert wars, and it judged us as a flaw in its business model.

      The survivors of the nuclear fire faced a new horror: the lolbots.

      But for the first time in history, Internet Explorer didn't crash.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  3. Nothing new here by WD · · Score: 5, Informative

    It's been known for a while (among those in the security field at least) that signed Java applets have been a concern. A little more info:

    http://www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html

    1. Re:Nothing new here by Anonymous Coward · · Score: 5, Insightful

      There is a big "Security Warning" dialog box. What should Java do more?

      It is like you are complaining that EXE's has a big concern. They are doing the same thing. If you click on an exe file, the browser will ask you if it should be opened. Then you will see one more security warning box again and the exe will start running.

      Let's start a petition: all exe files should be removed from the internet right now, because they are a big security hole.

    2. Re:Nothing new here by 0123456 · · Score: 4, Interesting

      There is a big "Security Warning" dialog box. What should Java do more?

      It could tell you that allowing it to run would give it access to all the files on your computer. I had no idea that was the case, but then I disabled Java in my web browsers long ago.

    3. Re:Nothing new here by Rary · · Score: 2

      There is a big "Security Warning" dialog box. What should Java do more?

      It could tell you that allowing it to run would give it access to all the files on your computer. I had no idea that was the case, but then I disabled Java in my web browsers long ago.

      Why would you not assume that an application being run will have full access to all the files on your computer? That's generally the way it works with applications. At least unsigned Java applets have the security of running in a sandbox with limited access. It's only signed Java applets that get the same privileges of a regular executable.

      --

      "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

    4. Re:Nothing new here by mmmmbeer · · Score: 2, Insightful

      Won't help. Every time we try to make something more idiot-proof, the universe invents a better idiot.

    5. Re:Nothing new here by WD · · Score: 2

      Yes, I do remember writing that article in 2008. Thus the "Nothing new here" comment. What specifically has changed since then? Have they significantly changed the security dialog? Or changed the default behavior of trusting all applications from the signing vendor? Or implemented a killbit-like blacklisting of bad applets?

  4. Re:Browse without Javascript, by Monkeedude1212 · · Score: 4, Insightful

    Ignoring the fact that this has nothing to do with Javascript - or IE. Some of the things they listed are simple social engineering attacks. You visit the site, asks you to run the Java Applet, the Java applet is malicious code. And if you can compromise someone's website to redirect you to your own look-alike with a malicious Java Applet asking to run, that looks like another prime strategy.

    The Java exploit is basically what takes what should be a seperate application and somehow gets more access than it should have, and probably installs something on the users computer like a trojan or worm.

    Browsing in Chrome won't save you from this. This is (sort of) a problem with the way Java Applets are handled - or a problem with the way users interact with the web (take your pick). They're both contributors to the problem really.

  5. What people do not realize... by Parker+Lewis · · Score: 3, Informative

    ... is that a signed Java applet is like any binary running on your box. People have the illusion that any applet is secure, signed or unsigned. And if you have admin rights, the hole will awesome.

  6. Re:Java-free for 2010 by Joce640k · · Score: 2, Interesting

    Yep, any website which requires either Java or Quicktime is asking not to be viewed.

    --
    No sig today...
  7. Re:Um ... Java != Javascript by Monkeedude1212 · · Score: 2

    Yeah. Same with that guy who started calling it "Cloud" Services. I called up that Amazon Rep and he said he didn't know a thing about Fog machines.

  8. Re:Browse without Javascript, by drinkypoo · · Score: 2

    Chrome loads mozilla plugins. So yes, it does support Java, and it is vulnerable if you have a mozilla Java plugin installed.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  9. Re:Java-free for 2010 by peragrin · · Score: 2

    I use java regularly, NOAA's website loads animations, and overlays that way.

    I like NOAA as I can get a variety of details that no one else seems to have though i tend to have to dig through their website for them.

    --
    i thought once I was found, but it was only a dream.
  10. This old quote seems appropriate to TFA by mswhippingboy · · Score: 2

    Build something that's foolproof, and only a fool will use it.

    --
    Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
  11. Unsigned is the ONLY way to deploy Java Applets! by BeforeCoffee · · Score: 5, Interesting

    My first attempt at a commercial website, CardMeeting, is built around a large, unsigned applet. Those "Grant, Deny?" dialog boxes are poison to anyone in the know, and I surely would never visit any site with them. Unsigned applets don't need any security warning dialog because they are untrusted and therefore will receive no privileged access to the user's system. Unsigned == heavily sandboxed. "Unsigned" sounds like a bad thing though, so that's something I could never tout to my users. But in reality, I was looking out for them! :D

    I had a heck of a time figuring out how to get the CardMeeting applet jar packed up with scripts and making the applet "stream" data the way it does. Yeargh, I remember that pain. Anyhow, it makes me really sad that news like this may lead people to disable java applets; I think the unsigned form of applets is very powerful and much safer for average users than Flash ever was. I wish there was a way in the browser to disable only signed applets. Perhaps Oracle could bring the hammer down and go ahead and disable them by default in the next Java release.

    My new website ClubCompy is 100% HTML+JavaScript. I wrote this whole simulated operating environment to teach kids to code with just the browser. I hope I don't start seeing people disable JavaScript on their browsers, then I'd be outta business!

    Dave

  12. Re:Um ... Java != Javascript by mark-t · · Score: 4, Informative

    The name Javascript was picked as a marketing ploy by the developers of Netscape in the 1990's, owing to the Java Programming Language, which at the time was seen as the next big thing for the web. Thus, they were hoping to capitalize on the term. I agree that the similarity of names has caused a lot of confusion, however... although there's squat all that can be done about it now.

    --
    File under 'M' for 'Manic ranting'
  13. Re:Unsigned is the ONLY way to deploy Java Applets by Rary · · Score: 5, Informative

    I wish there was a way in the browser to disable only signed applets.

    Not in the browser, because that's not the browser's job, but it's in the JRE. There's a setting labeled "Allow user to grant permissions to signed content", which, if turned off, will prevent signed applets from ever being run, while still allowing unsigned applets.

    It would be nice for Oracle to make the default settings more tightly secured, and let users "unsecure" as they see fit.

    --

    "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

  14. Re:Good policy, I'll sign up by Jonner · · Score: 2

    I don't see strong evidence that Java applets pose a bigger risk than Flash applets or tricking users to download EXEs. I also think that if more attention had been paid to Java applets development and they'd kept up with Flash, we'd be in a lot better position today. Java applets are not specified by web standards, but it's a much more open technology than Flash. Of course, we'll ultimately be able to replace Flash with standard technologies.