Browser Exploit Kits Using Built-In Java Feature

tsu doh nimh writes "Security experts from several different organizations are tracking an increase in Windows malware compromises via Java, although not from a vulnerability in Windows itself: the threat comes from a feature of Java that prompts the user to download and run a Java applet. Kaspersky said it saw a huge uptick in PCs compromised by Java exploits in December, but that the biggest change was the use of this Java feature for social engineering. Brian Krebs writes about this trend, and looks at two new exploit packs that are powered mainly by Java flaws, including one pack that advertises this feature as an exploit that works on all Java versions."

Um, What?

[Rary]

People who click "OK" on random dialogs that ask them to confirm installation of something they didn't ask for are targets for malware, and this is news... because it's using Java? Am I missing something?

Re:Um, What?

[oneiros27]

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be the problem.

Nothing new here

[WD]

It's been known for a while (among those in the security field at least) that signed Java applets have been a concern. A little more info:

http://www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html

Re:Nothing new here

There is a big "Security Warning" dialog box. What should Java do more?

It is like you are complaining that EXE's has a big concern. They are doing the same thing. If you click on an exe file, the browser will ask you if it should be opened. Then you will see one more security warning box again and the exe will start running.

Let's start a petition: all exe files should be removed from the internet right now, because they are a big security hole.

Unsigned is the ONLY way to deploy Java Applets!

[BeforeCoffee]

My first attempt at a commercial website, CardMeeting, is built around a large, unsigned applet. Those "Grant, Deny?" dialog boxes are poison to anyone in the know, and I surely would never visit any site with them. Unsigned applets don't need any security warning dialog because they are untrusted and therefore will receive no privileged access to the user's system. Unsigned == heavily sandboxed. "Unsigned" sounds like a bad thing though, so that's something I could never tout to my users. But in reality, I was looking out for them! :D

I had a heck of a time figuring out how to get the CardMeeting applet jar packed up with scripts and making the applet "stream" data the way it does. Yeargh, I remember that pain. Anyhow, it makes me really sad that news like this may lead people to disable java applets; I think the unsigned form of applets is very powerful and much safer for average users than Flash ever was. I wish there was a way in the browser to disable only signed applets. Perhaps Oracle could bring the hammer down and go ahead and disable them by default in the next Java release.

My new website ClubCompy is 100% HTML+JavaScript. I wrote this whole simulated operating environment to teach kids to code with just the browser. I hope I don't start seeing people disable JavaScript on their browsers, then I'd be outta business!

Dave

Re:Unsigned is the ONLY way to deploy Java Applets

[Rary]

I wish there was a way in the browser to disable only signed applets.

Not in the browser, because that's not the browser's job, but it's in the JRE. There's a setting labeled "Allow user to grant permissions to signed content", which, if turned off, will prevent signed applets from ever being run, while still allowing unsigned applets.

It would be nice for Oracle to make the default settings more tightly secured, and let users "unsecure" as they see fit.