Forgot your password?
typodupeerror
Security

The Java Popup you Can't Stop 480

Posted by CmdrTaco
from the once-you-pop dept.
An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser). Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "
This discussion has been archived. No new comments can be posted.

The Java Popup you Can't Stop

Comments Filter:
  • by LarsG (31008) on Wednesday August 08, 2007 @08:53AM (#20155047) Journal
    For the love of all that is holy, please don't promote this story to the /. frontpage. The less advertisers that are made aware of this the better.
    • by Anonymous Coward on Wednesday August 08, 2007 @09:01AM (#20155151)
      NO WAY! Information is meant to be FREEEEEEEEEEEEEEEEEEE! YOU should keep your mouth shut, you fascist pig! I bet you voted for Bush!
      • by LarsG (31008) on Wednesday August 08, 2007 @09:14AM (#20155285) Journal
        Information wants to be anthropomorphised and all that, but I'd still prefer this one to stay below the main stream media radar until Sun can get a fix out.

        As for voting Bush. Since I'm not a US citizen, that would require use of the password '12345678'.
        • by elrous0 (869638) * on Wednesday August 08, 2007 @09:21AM (#20155381)
          Only promoting it and having it become a threat to them (i.e. lawsuits, users uninstalling Java on their systems, webpage designers moving away from it) will motivate them to fix the problem. If the threat is kept under wraps, they have no real motivation to move on it until phishers are already using it in the wild.
          • by LarsG (31008) on Wednesday August 08, 2007 @10:12AM (#20156153) Journal
            True, full disclosure is needed as the ultimate Damocles sword to force companies to fix problems. If Sun acts slowly on this one, I'm all in favour of plastering it all over the front page of the WSJ.

            Sun was made aware of this problem 10 days ago, and nothing seems to suggest that they don't take the issue seriously. The time it takes them to write a fix, do regression testing and push a patch out the door will likely not change due to this story reaching the /. frontpage or not. The only thing that will change is the number of people that are made aware of the issue before the fix is available, and in consequence the number of phishers/spammers/etc that have the opportunity to exploit it. That is, increasing the Window of Exposure [schneier.com]
          • Re: (Score:3, Insightful)

            by AVee (557523)
            Only promoting it and having it become a threat to them (i.e. lawsuits, users uninstalling Java on their systems, webpage designers moving away from it) will motivate them to fix the problem.

            I'm all with you on forcing vendors to fixs security problems, but you make a rather blunt statement about SUN. So far I haven't seen any examples of security issues in Java being ignored by SUN so you'd better back up an accusation like that with some facts.
      • Re: (Score:3, Informative)

        by ajs (35943)

        Information is meant to be FREEEEEEEEEEEEEEEEEEE!

        Are we still confused about this phrase? I thought that was so 1990s....

        Once again for those in the cheap seats: "information wants to be free" is roughly equivalent to the statement, "a gas wants to expand to fill its container." It's not wishful thinking. It's not a political statement. It's not an assertion of an ethical point of view. It's just a fairly easily demonstrated fact that no matter how hard you work to contain information (and arguably as a RESULT of how hard you work at it), said informatio

    • I guess Java will have to join Flash in my don't install/run list...

      Personally, I'm glad for the warning.
    • Re: (Score:3, Funny)

      by Anonymous Coward
      Eh don't worry, by the time the Java Virtual Machine loads up, you'll probably be doing something else. It should make for a good screensaver though!
  • by nagora (177841) on Wednesday August 08, 2007 @08:53AM (#20155049)
    There are people who still browse with java switched on?! That is SO 1990's.
    • by amigabill (146897) on Wednesday August 08, 2007 @09:36AM (#20155619)
      There are people who still browse with java switched on?! That is SO 1990's.

      Didn't you read the headline? You can't stop these things. Heck, the demo popped up an unkillable window on my AmigaOS box, and no JVM even exists for that...
      • Re: (Score:3, Funny)

        by Anonymous Coward
        Wow you can run Java even without a JVM??

        I had no idea Java was so powerful.
  • by Raleel (30913) on Wednesday August 08, 2007 @08:55AM (#20155061)
    is to get their phone number, call them up, and inform them that they will never buy/use whatever it is they are selling, and will be telling 25 of their closest friends in person because of this practice. Certainly, you aren't limited to 25, but that is the old saying.
    • Re: (Score:2, Insightful)

      by 91degrees (207121)
      There's no such thing as bad publicity.

      Actually that's not totally true, but telling people not to use a product may backfire if it means more people have heard of the product.
      • by 6031769 (829845)

        There's no such thing as bad publicity.
        Two words: Gerald Ratner
    • by aadvancedGIR (959466) on Wednesday August 08, 2007 @09:22AM (#20155387)
      The real wet dream of any victim would be to be able to disable java or any scriting technology in his browser and still be able to surf on most respectable sites.
      I don't want to be a ludite, but on 9 sites times out of 10 that require those technologies, there is very little benefit for the user.
      • Re: (Score:3, Funny)

        by foniksonik (573572)
        Yes... lets' disable PHP, JSP, Ruby, Python, ASP and all those other evil scripting languages. OH you meant Browser Scripting languages?

        OK then, let's disable multi-level menus, client side form validation, any sort of calculator, date pickers, multi-dimensional form inputs (where one choice branches the rest of the form), tree-menus, AJAX (which does have it's uses), font-size controllers, style switchers and all the other UI elements that make web sites even remotely usable.

        Let's just do away with Gmail a
        • by Clandestine_Blaze (1019274) on Wednesday August 08, 2007 @11:25AM (#20157109) Journal
          A distinction should be made between a website that can't function without client-side scripting, and websites that use it to support various functions but can work without it.

          For instance, the multi-level menus on a website should not be the only means of browsing its pages. In fact, if the user were to turn off all of their scripting for their browser, the website should function minimally. Even with Gmail, you could change the site options to "basic HTML", which is found on the bottom of the page.

          How about banking websites where you try to pay your bill and want to input the date? Most sites currently have a calendar pop-up for you to display a slick interface. But one should still be able to manually enter in a date that conforms to how the date is stored. (Or use server-side validation & conversion.) Again, inputting a date should not depend on a client-side calendar function since quite a few users use browsers that do not have any client-side scripting functionality.

          I agree with your point that a lot of the sites we commonly use have features that depend on client-side scripting, but the website itself should still function if you choose to turn off the functionality on the browser level, and that is what the parent was talking about if I understood their point correctly.
      • by secPM_MS (1081961) on Wednesday August 08, 2007 @11:14AM (#20156963)
        I have to agree. I just returned from BlackHat and DefCon. Before I went I had tended to view "Web 2.0" as "Cross Site Scripting as a Feature". My view is now more negative and bleak. The combination of cross site scripting, cross site request forgery, DNS poisioning / anti pinning, and active content on the user's browser's is exceptionally powerful. There were a number of attacks discussed that were very serious. Since these vulnerabilities are server driven, there is essentially nothing that the user can do to protect themselves other than to block the functionality. Unfortunately, the state of the art in server deployments is very bad, not only do web masters deploy a lot of vulnerable web apps, but lots of web servers are compromised by attackers for the purpose of spreading their malware.

        The smart web is the dangerous web -- the smarts are all too likely to be out to get you.

        As for me, with a few exceptions, if a web site needs lots of scripting to make it work, I don't need it or use it.

        Windows/Microsoft Update is in my trusted site zone

        I use Firefox with noscript to enable only what I need for mapping functionality

        Otherwise, Java, javascript, flash, multimedia, are all off.

  • by circletimessquare (444983) <circletimessquare&gmail,com> on Wednesday August 08, 2007 @08:56AM (#20155069) Homepage Journal
    this is a real slashdot article, and not some clever cross site full screen javascript faux article out to steal my cookies, hmmm? if i hit submit i might-

    oh shit
  • by morgan_greywolf (835522) on Wednesday August 08, 2007 @08:56AM (#20155071) Homepage Journal

    In the meanwhile, NoScript [noscript.net]is your friend


    As always, with script-related security flaws, the easiest solution is NoScript, of course.

    However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.

    • by Luscious868 (679143) on Wednesday August 08, 2007 @09:18AM (#20155345)

      However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.

      It worked on my XP system and covered everything but the Start Menu and Task Bar. Getting it to close was simply a matter of right clicking on Firefox in the Task Bar and closing it down. It's certainly an annoyance, but it's not as bad as the article makes it seem to be. Anybody with a brain (which admittedly excludes about 60% of the population) can figure out how to close Firefox and thus the Java App.

      • by kent_eh (543303) on Wednesday August 08, 2007 @09:31AM (#20155547)
        Getting it to close was simply a matter of right clicking on Firefox in the Task Bar and closing it down. It's certainly an annoyance, but it's not as bad as the article makes it seem to be. Anybody with a brain (which admittedly excludes about 60% of the population) can figure out how to close Firefox and thus the Java App.

        In my experience the vast majority of windows users don't right click on anything, unless they have been specifically instructed to.

        And they certainly don't intuitively know that they can right click on task bar icons to do anything, let alone close the app.
        For most regular users (no doubt the intended target of the sort of sleeze who would use this for advertising and other nefarious purposes)there is only one way to shut down an app, and that's the rex X in the top right corner.
      • by LiquidCoooled (634315) on Wednesday August 08, 2007 @09:34AM (#20155575) Homepage Journal
        Actually, it was a bit worse (for some reason on mine)

        The start bar went behind the app, bringing up task manager and shutting down the app wasn't as easy as you would think because the java app eats focus and makes clicking the "End Process" and the Warning message difficult.

        I managed it after a few mistypes and jabs at the button.

        Its possible to close it, but it doesn't play nice at all.
    • by Professor_UNIX (867045) on Wednesday August 08, 2007 @09:22AM (#20155393)
      This demo didn't work on my iPhone either. Just another reason to use the Superior JesusPhone over standard web technologies... no annoying Java, Flash, or third party apps to exploit!
  • Firefox (Score:3, Informative)

    by CogDissident (951207) on Wednesday August 08, 2007 @08:56AM (#20155073)
    I have the newest version of firefox (vanilla, no extensions, only a few custom settings to increase speed) and his demo completely didn't work on my computer...
    • by Potor (658520)

      yeah, is this a joke? i tried disabling everything i could think of while keeping java enabled - nothing.

      btw, i am a dedicated proxomitron user (disabled for a moment to try the demo). never see any ads or pop-ups ...

  • Why? (Score:2, Interesting)

    by techiemikey (1126169)
    yes, but who would want their product to become associated with what would quickly become the most annoying ad basis ever invented?
    • Re:Why? (Score:4, Informative)

      by Von Helmet (727753) on Wednesday August 08, 2007 @09:00AM (#20155139)

      Indeed. That sort of thing usually doesn't end well. Ask the guys behind X10 [wikipedia.org] for example.

    • Re:Why? (Score:5, Insightful)

      by mwvdlee (775178) on Wednesday August 08, 2007 @09:01AM (#20155145) Homepage
      You'd think so, but spam is apparently still worth the risk and effort too.
    • And since there's no spam (because, well, your wonderful brand would be associated with spam if you used spam to advertise it), I guess you must be right.
    • Re:Why? (Score:5, Interesting)

      by Anonymous Brave Guy (457657) on Wednesday August 08, 2007 @09:21AM (#20155377)

      The problem with ads is that, apparently, the annoying ones are exactly the ones that work. People like you and me hate them, but we're never going to buy their **** anyway. Those irritating jingles that get played endlessly on TV ads irritate the **** out of us, but they attract the attention (and memory) of those gullible enough to buy the goods.

      I'm not sure how much this is really backed up by evidence and how much is just "accepted wisdom" in the marketing community, though. There was a particular local firm advertising on the biggest local radio station in these parts a few years ago. They basically took traditional melodies from things like popular nursery rhymes, and rewrote the lyrics to mention their company name repeatedly and the product they were pitching. After a while, they even ran an ad that had the lyrics "We know the songs get on your nerves", which I remember all too well, perhaps making the point for them. That was, however, the last ad they ever ran on that radio station as far as I can tell. I'm not sure what happened to the company...

      To bring this back to the current context, though, the theory seems entirely reasonable. Most of us will never support spammers or get caught by phishing, but those stupid enough to reply to bank password checks or ads for legal software downloads are probably also the ones stupid enough to click on the slightly odd-looking dialog warning about a virus attempting to install itself through your web browser. Sadly, given the tiny running costs, it only take a very small proportion of people to be idiots for the spammers/adware merchants to make an awful lot of money.

    • Re: (Score:3, Funny)

      by neersign (956437)
      screen on, apply directly to the computer screen...
  • The obvious solution should be to turn of Java by default, and only turn it on for trusted sites.

    Problem off course is that the avrage websurfer is unlikely to a) know how to do it, and b) know what sites to trust.
    • Re:Obvious solution? (Score:5, Interesting)

      by Ed Avis (5917) <ed@membled.com> on Wednesday August 08, 2007 @09:10AM (#20155249) Homepage
      The whole point of Java was that it was super-sandboxed when running applets and you could enable it for all sites. To prevent phishing, any windows created by a Java applet would have to show 'Warning: Applet window' and a big red border or something like that. I wonder what went wrong to allow this attack, and whether it has been in Java since the beginning (i.e. would work even with Netscape 2.0) or takes advantage of some recently added kewl feature that forgot to do sandboxing properly.
    • Re: (Score:2, Troll)

      by pla (258480)
      Problem off course is that the avrage websurfer is unlikely to

      Fortunately, I don't give two shakes of a rat's derriere about the average websurfer. In fact, I prefer that they see a deluge of ads, because:
      1) It makes ads easier to block (advertisers only use blocker-circumvention methods when forced to);
      2) As people complain, ads will evolve into less obnoxious forms (such as the entirely palateable Google text-ads);
      3) Although I in no way feel guilty about "consuming" content voluntarily placed onli
  • You can still use firefox to keep popups contained in tabbed browsing, and prevent window resizing. Not-news, move along.
  • So...did I miss something? But winkey and ctrl alt delete did fine for me. Still, I *am* impressed...it just seemed to be billed as more than it was. Or is the joke on me for clicking the link in the first place? ::runs away to sign up for lifelock::
  • Silly article (Score:3, Informative)

    by Glock27 (446276) on Wednesday August 08, 2007 @08:57AM (#20155097)
    Under MacOS, the dock and top bar are still visible, and it's trivial to kill the browser.

    There's virtually no chance anyone would be fooled into doing anything but killing their browser, and Java is by no means alone in causing that kind of issue.

    Nothing to see here, move along...

  • No, I'm not talking about advertising via popups, I'm talking about Giorgio Maone's method of pushing NoScript. Whatever next? McAfee will release a super virus that only their product will stop? Or Microsoft start releasing IE exploits and paid-for patches?

    I already use NoScript, but this sort of behaviour doesn't enamour me to the lead author.
    • by Anonymous Brave Guy (457657) on Wednesday August 08, 2007 @09:28AM (#20155495)

      If he were selling his software commercially, or people were being directed from the Slashdot front page to a page full of ads, then you might have a point, but that's not the case here. The guy has made an obviously useful tool, gives it away for free, and is warning about an obviously relevant threat. The most he's likely to get out of this is a few small donations or a few more page hits on his site, perhaps making enough to cover the server costs for hosting a popular Firefox extension for a while and a bit of beer money. I think your post is way over the top.

  • by RaigetheFury (1000827) on Wednesday August 08, 2007 @08:59AM (#20155125)
    I'd really like to see counter methods posted as (special) comments under articles like these. "Links to: How to prevent this". It would be really nice if we could use our mod points to "mark" a comment as a solution that an administrator could then move it to the top. Why the administrator involvement? Simple, to prevent the teams of people who go around and exploit this type of function on Yahoo. This would still allow Slashdot to work off the same random moderator point system it has while keeping some semblance of order. They could play around with how many mod points a comment needs before it can before an admin is notified.

    Just a thought.
  • by BobPaul (710574) * on Wednesday August 08, 2007 @09:01AM (#20155141) Journal
    FF on Ubuntu 7.04 using Sun's Java (1.5 I believe). The Java one works wonderfully(?) not only filling my full dual monitor setup, but preventing me from clearing it using any method I tried, including hitting the hotkey to change Gnome workspaces. The only thing that did work was switching to a virtual console at which point I could kill firefox-bin.
  • by smallstepforman (121366) on Wednesday August 08, 2007 @09:01AM (#20155143)
    No need to worry folks, us handful of BeOS users will switch off the lights and the internet on our way out, since we'll be the last ones to leave. Every now and then I'm actually relieved to be running a non mainstream OS.
  • If marketing clowns are allowed to do this to my PC, or more to the point, the PCs of people who DON'T know what to do to secure their PCs, I think DoS attacks on individuals or companies that engage in this behavior should be perfectly legal. It amounts to the same thing, really. You interrupt my ability to conduct my business, and I will return the favor...
  • by Toreo asesino (951231) on Wednesday August 08, 2007 @09:03AM (#20155165) Journal
    Seriously, name me one "house-hold" name website that uses Java applets anyway. Can't we just have it switched off by default? I like Java as a broad technology, but I'm finding applets increasingly irrelevant - interactive rich sites are being taken over by flash, ajax, and the probably-to-be-mainstream-soon Silverlight/Moonlight.

    This isn't a flame....Java on the desktop is awesome and I love it.

    *runs to the hills*
    • Re: (Score:3, Interesting)

      by Megane (129182)
      You've got a good point. I'm going to turn off Java in my Mozilla and see what the result is. I can't remember the last time I saw java-man showing that the plug-in was being loaded, and I blame Flash. Flash is faster to load the plug-in, and it supports lots of graphical and multi-media stuff inherently, not as an add-on library.
    • by SQLGuru (980662) on Wednesday August 08, 2007 @09:19AM (#20155361) Journal
      1. Yahoo.com

      Done.

      Yahoo uses Java for many of their online games. You might not play them, but a lot of people do. And that "lot of people" will probably leave Java enabled and be victim to this crap.

      Layne
  • Redux (Score:2, Interesting)

    by mritunjai (518932)
    1. The bug was filed on 19 JUL (less than 10 days back) and henceforth made public when no "visible" action was seen from Sun, in the interim Sun asked to keep the issue confidential, but it was made public anyways.

    I find it hard to justify as I don't know a fix can be done and TESTED on all configurations (especially as wide as Java), in 10 days. Heck, full inhouse teams take *months* to roll out tested windows updates. I won't classify it as responsible disclosure.

    2. The functionality is achievable by Jav
  • I'm surprised no one has thought of doing this before. What I am curious about though is why the applet doesn't have a border - I suspect it is because it has gone full screen. If that is the case a really easy fix would be to simply ban applets from going full screen unless they are signed.
  • Java X11 app taking over? SSH into your box (unless you got another screen) and then DISPLAY=:0.0 xkill. Then it's just point, and shoot.

    *BLAM!*

    Extra points to whoever makes an xkill clone that has configurable sound when you shoot the app, from Luger 9mm, Colt .45, AK-47, a machine gun, Stroll Munitions BH-209i plasma cannon, nuclear bomb, or the all-time commercial favorite... "What's that?" "Oh oh.... RAAAAAAAAAIIIIDDDD!!!" *BOOOOOOOOOOOOOOOOOOOOOOOOOM!*
  • This Java discovery will lead to the following:

    1. Java Popups 1.0

    2. Java Popups on Struts

    3. Java Popups 1.1. (Not compatible with 1.0 or struts, needs a patch to SunOS to work)

    4. JPEE. (Java Popups, Enterprise Edition- Not compatible with 1.1)

    5. Java Popups for Mobile Devices.

    6. Java Popups for Mobile Devices, Enterprise Edition.

    HA, and you thought that Java was going to make this easy for Phishers and Advertizers.
  • If you're too lazy to install NoScript:

    Tools -> Options -> Content -> Uncheck "Enable Java"

    Honestly, unless you have a legitimate reason to run Java applets, I don't see why to keep it enabled. I have found very few legitimate Java applets during the course of my normal browsing; most of them are something like "rippling water effect" or "annoying site counter".
  • Now that java is released under the GPL, how long before someone releases a java plugin to block popups such as these?
  • by wowbagger (69688) on Wednesday August 08, 2007 @09:20AM (#20155369) Homepage Journal
    This, of course, assumes that you allow Java to run without asking first.

    If you, like me, don't allow Java or any other plug-in to run without the browser first asking you if it is OK to run, and if you don't allow plug-ins to run without having a VERY CLEAR idea of where they are coming from and what they will do, and do not run any such plug-in save from a VERY trusted source, then this will be very hard for an advertiser to exploit.

    All the more reason why ALL plug-ins should be "user interaction required before use" BY DEFAULT.
  • It would have been nice if the demo applet had a timer and then minimized. We'd all still get it, and I wouldn't have to ssh into my box from my phone to kill Firefox.

    Clearly Sun will have to act on this very quickly.

    Limiting unsigned applets to 600x480 seems like a good first step. The problem of course is does Frame know for sure that it's distant ancestor is an applet? In theory that's the idea behind the sandbox -- but clearly the sand has escaped and needs vacuuming.

    Also -- I'm disappointed in

  • by ticklejw (453382) on Wednesday August 08, 2007 @09:32AM (#20155551) Homepage
    "Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop and cannot be closed by user"

    Thing #397 That You Can Do In Linux But Can't In Other Popular Desktop OS's:

    1. Ctrl+Atl+F1
    2. Log In
    3. missile-launch -f --target-from-process java
    4. killall java
    4a. killall firefox-bin (if necessary)

    Actually this story is strangely coincidental; just a few minutes ago, I was trying to show a coworker a cool graphical demo of different sorting algorithm efficiencies, but I didn't have the Java plugin installed. Still don't.
  • Adblock works, too (Score:3, Informative)

    by gpinzone (531794) on Wednesday August 08, 2007 @09:36AM (#20155609) Homepage Journal
    Putting http://evil.hackademix.net/fullscreen/FullScreen.c lass [hackademix.net] in AdBlock Plus' kill list worked like a charm. Make a generic kill for *.class and *.jar and then whitelist the sites that need java.
  • by Chineseyes (691744) on Wednesday August 08, 2007 @09:37AM (#20155635)
    Popups, Wet Dreams, and no napkins. What a mess.
  • Lovely (Score:5, Funny)

    by dgun (1056422) on Wednesday August 08, 2007 @09:38AM (#20155661) Homepage

    The one sure way to endear me to a product and cause me to whip out my credit card is to pop up a window over my entire screen that I cannot remove. This type of "in your face" advertising is exactly what reluctant consumers like myself need.

  • by MobyDisk (75490) on Wednesday August 08, 2007 @09:44AM (#20155739) Homepage
    I have Flashblock. Is there a Javablock? I'm surprised advertisers don't use Java more often. Java is one of those things that I would probably want to enable manually anyway, there's no need for it to be on all the time.
  • by mritunjai (518932) on Wednesday August 08, 2007 @09:50AM (#20155849) Homepage
    Would like to share some specifics. Disassembled the bytecode using javap and used my rusty JRE assembler 'skillz' to understand it, but well, since he seems to have compiled it with full debug options, any idiot can find it ut by staring at the output for a sec.

    1. It doesn't use any "go fullscreen" API
    2. It's a failure of assuming sum of parts of software is as secure is as its components. It can be "less" secure than any of the component taken in isolation. Point in case is the set of APIs used:

    a) Toolkit.getScreenSize(): Used to find size of desktop. Nothing evil here
    b) Window.setBounds(): Used to set size of window. Nothing evil, except set it larger than screen size, hence hiding the applet warning by moving it "off screen"
    c) Window.setAlwaysOnTop(): Used to set the window on top. Essential for displaying "Modal" dialog boxed like error boxes. Nothing sinister here.

    However, the shit happens because all the things taken together can be dangerous. Specially, passing "System Modal" to setAlwaysOnTop().

    I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-

    1. Validate applet size to be always significantly less than screen size
    2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.

    Any more ideas shall be appreciated.

    Oh, and I again despise him for an irresponsible disclosure and presenting the hack in easily reverse engineered, fully functional code.
    • by jonathan3003 (797920) on Wednesday August 08, 2007 @11:10AM (#20156927)
      I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
      1. Validate applet size to be always significantly less than screen size
      2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.


      I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.

      Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.
  • Flash (Score:3, Insightful)

    by Midnight Thunder (17205) on Wednesday August 08, 2007 @10:04AM (#20156059) Homepage Journal
    Is having a full screen window in java any different from having a full screen window in Flash? If so, wouldn't it just be as easy to use Flah, since it is likely installed on more systems than Java is.

Men love to wonder, and that is the seed of science.

Working...