The Java Popup you Can't Stop 480
An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser).
Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "
and the wet dream of any victim (Score:3, Insightful)
Re:and the wet dream of any victim (Score:2, Insightful)
Actually that's not totally true, but telling people not to use a product may backfire if it means more people have heard of the product.
An interesting markettign technique... (Score:2, Insightful)
I already use NoScript, but this sort of behaviour doesn't enamour me to the lead author.
Re:Hence why I don't use java (Score:3, Insightful)
Why is that? What is "worse" about it than Ecmascript?
For extra credit, explain why Java Web Start is worse than downloading a traditional application and installing it...
Lemmings...gotta love 'em.
Re:Why? (Score:5, Insightful)
Re:Redux (Score:3, Insightful)
Fixed.
This, of course, assume you allow Java (Score:3, Insightful)
If you, like me, don't allow Java or any other plug-in to run without the browser first asking you if it is OK to run, and if you don't allow plug-ins to run without having a VERY CLEAR idea of where they are coming from and what they will do, and do not run any such plug-in save from a VERY trusted source, then this will be very hard for an advertiser to exploit.
All the more reason why ALL plug-ins should be "user interaction required before use" BY DEFAULT.
Re:Don't spread this! (Score:5, Insightful)
Re:and the wet dream of any victim (Score:5, Insightful)
I don't want to be a ludite, but on 9 sites times out of 10 that require those technologies, there is very little benefit for the user.
Re:An interesting markettign technique... (Score:5, Insightful)
If he were selling his software commercially, or people were being directed from the Slashdot front page to a page full of ads, then you might have a point, but that's not the case here. The guy has made an obviously useful tool, gives it away for free, and is warning about an obviously relevant threat. The most he's likely to get out of this is a few small donations or a few more page hits on his site, perhaps making enough to cover the server costs for hosting a popular Firefox extension for a while and a bit of beer money. I think your post is way over the top.
Re:NoScript, but they don't work (Score:4, Insightful)
In my experience the vast majority of windows users don't right click on anything, unless they have been specifically instructed to.
And they certainly don't intuitively know that they can right click on task bar icons to do anything, let alone close the app.
For most regular users (no doubt the intended target of the sort of sleeze who would use this for advertising and other nefarious purposes)there is only one way to shut down an app, and that's the rex X in the top right corner.
Re:Interesting (Score:5, Insightful)
Ban them from going full screen unless I, the owner of the machine where it wants to go full screen, agree to applications having the right to go full screen.
I don't care about signed code. I do care about my preferences!
flashblock - javablock (Score:3, Insightful)
Opera (Score:1, Insightful)
btw, in Opera, in preference --> javascript option, I always have these 3 options unticked: "Allow resizing of windows", "Allow moving of windows", and "Allow script to hide address". So, the exploit the author mentioned doesn't work.
Flash (Score:3, Insightful)
Re:Don't spread this! (Score:4, Insightful)
Sun was made aware of this problem 10 days ago, and nothing seems to suggest that they don't take the issue seriously. The time it takes them to write a fix, do regression testing and push a patch out the door will likely not change due to this story reaching the
Re:Don't spread this! (Score:3, Insightful)
I'm all with you on forcing vendors to fixs security problems, but you make a rather blunt statement about SUN. So far I haven't seen any examples of security issues in Java being ignored by SUN so you'd better back up an accusation like that with some facts.
Re:Why I love IE (Score:5, Insightful)
I believe you mean JavaScript viruses (very common) not Java viruses (extremely rare). Javascript viruses tend to be mostly harmless (stuff like, a popup you can't close) and are generally overblown by virus software. That's why your autoprotect software wasn't catching it: It wasn't that important. And erasing the files from your browser's cache after the fact is not really helpful either. You're not really "infected" per se. (Though some of those JS files are vectors into bigger and badder viruses.)
That has to be the worst reason in existence to use IE. If you don't want Java, don't install it. FireFox won't do it automatically, nor will Opera, nor will Safari. Sticking with IE because it doesn't install a JVM by default is nothing more than a false sense of security.
parent rating: -1 FUD
Re:Don't spread this! (Score:5, Insightful)
I'm all for letting security issues blow up in media if the software vendor ignores them, there's nothing like a little public shaming to make public companies get their act together security-wise. But as long as the software vendor fixes reported problems in a timely fashion, the only thing that is achieved by a media blow up before a patch is available is that more potential exploiters are made aware of the issue.
Re:Analysis of the "hack", or how sum of parts bre (Score:5, Insightful)
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.
I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.
Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.
Re:and the wet dream of any victim (Score:4, Insightful)
The smart web is the dangerous web -- the smarts are all too likely to be out to get you.
As for me, with a few exceptions, if a web site needs lots of scripting to make it work, I don't need it or use it.
Windows/Microsoft Update is in my trusted site zone
I use Firefox with noscript to enable only what I need for mapping functionality
Otherwise, Java, javascript, flash, multimedia, are all off.
Hail to the Troll (Score:2, Insightful)
Re:Don't spread this! (Score:3, Insightful)
You're right, N00bs WILL click on stuff. You've missed the point. There are plenty of ways to take advantage of people on the net without infecting their machine with a local virus. Not to mention that not everyone knows how to use CTL/ALT/DELETE and end processes (cause N00bs really need to be screwing with the task manager... riiight). EVERYONE is a N00b at some point - which leads me to my next point...
1. They deserve whatever they get.
That's an ignorant and callous statement. Just because someone focuses their learning on a subject other than computers/networking doesn't mean they deserve to get screwed. I hope your wife/grandma/parents/friends/yourself end up getting taken - maybe then you'll have a little respect for those who have other interests in life than learning everything there is to know about tech.
2. I'm pretty sure their computers (presuming they deserve to be called that) are already turned into spam zombies
So be part of the solution and help educate rather than whine about how dumb everyone else is. The worst kind of geek is the one who thinks somehow they're super-human and everyone else is dumb. Did you get beaten up by too many jocks in school?
Re:Don't spread this! (Score:3, Insightful)
Re:Don't spread this! (Score:3, Insightful)
And your philosophy on people deserving shit is frankly disgusting. My mother has spent her life trying to help people in the caring profession, and is now just getting to grips with IT. I can see her being tricked into clicking one of those stupid adverts saying she's infected with a virus, or something, does she deserve to have massive ads pop up that she doesn't know how to close, full of pornography etc.? She'd be too embarrassed to ask me how to close it probably, and it would probably scare her from using the computer.
You're a disgusting slashdot user and no doubt quite a stupid person.
Re:Don't spread this! (Score:3, Insightful)
NoScript is great, but I wouldn't want to have to add "See the 'S' in the corner, right click it, blah blah,
Re:Don't spread this! (Score:3, Insightful)
Re:Don't spread this! (Score:3, Insightful)
Really. The AC is right; there can be no general solution. See also this article [csoonline.com]; search for Turing.
The approach you suggest, of "search for X, Y, and Z known bad things and don't allow them" is also a loser. For more on that, see Gödel, Escher, Bach [wikipedia.org], especially the part about "This record cannot be played on record player X."
Re:Don't spread this! (Score:3, Insightful)
Re:NoScript, but they don't work (Score:3, Insightful)
Re:Don't spread this! (Score:3, Insightful)