The Java Popup you Can't Stop

An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser). Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "

and the wet dream of any victim

[Raleel]

is to get their phone number, call them up, and inform them that they will never buy/use whatever it is they are selling, and will be telling 25 of their closest friends in person because of this practice. Certainly, you aren't limited to 25, but that is the old saying.

Re:and the wet dream of any victim

[91degrees]

There's no such thing as bad publicity.

Actually that's not totally true, but telling people not to use a product may backfire if it means more people have heard of the product.

An interesting markettign technique...

[solevita]

No, I'm not talking about advertising via popups, I'm talking about Giorgio Maone's method of pushing NoScript. Whatever next? McAfee will release a super virus that only their product will stop? Or Microsoft start releasing IE exploits and paid-for patches?

I already use NoScript, but this sort of behaviour doesn't enamour me to the lead author.

Re:Hence why I don't use java

[Glock27]

It really is very bad language to use online,

Why is that? What is "worse" about it than Ecmascript?

For extra credit, explain why Java Web Start is worse than downloading a traditional application and installing it...

Lemmings...gotta love 'em.

Re:Why?

[mwvdlee]

You'd think so, but spam is apparently still worth the risk and effort too.

Re:Redux

[mritunjai]

The bug was filed on 29 JUL

Fixed.

This, of course, assume you allow Java

[wowbagger]

This, of course, assumes that you allow Java to run without asking first.

If you, like me, don't allow Java or any other plug-in to run without the browser first asking you if it is OK to run, and if you don't allow plug-ins to run without having a VERY CLEAR idea of where they are coming from and what they will do, and do not run any such plug-in save from a VERY trusted source, then this will be very hard for an advertiser to exploit.

All the more reason why ALL plug-ins should be "user interaction required before use" BY DEFAULT.

Re:Don't spread this!

[elrous0]

Only promoting it and having it become a threat to them (i.e. lawsuits, users uninstalling Java on their systems, webpage designers moving away from it) will motivate them to fix the problem. If the threat is kept under wraps, they have no real motivation to move on it until phishers are already using it in the wild.

Re:and the wet dream of any victim

[aadvancedGIR]

The real wet dream of any victim would be to be able to disable java or any scriting technology in his browser and still be able to surf on most respectable sites.
I don't want to be a ludite, but on 9 sites times out of 10 that require those technologies, there is very little benefit for the user.

Re:An interesting markettign technique...

[Anonymous Brave Guy]

If he were selling his software commercially, or people were being directed from the Slashdot front page to a page full of ads, then you might have a point, but that's not the case here. The guy has made an obviously useful tool, gives it away for free, and is warning about an obviously relevant threat. The most he's likely to get out of this is a few small donations or a few more page hits on his site, perhaps making enough to cover the server costs for hosting a popular Firefox extension for a while and a bit of beer money. I think your post is way over the top.

Re:NoScript, but they don't work

[kent_eh]

Getting it to close was simply a matter of right clicking on Firefox in the Task Bar and closing it down. It's certainly an annoyance, but it's not as bad as the article makes it seem to be. Anybody with a brain (which admittedly excludes about 60% of the population) can figure out how to close Firefox and thus the Java App.

In my experience the vast majority of windows users don't right click on anything, unless they have been specifically instructed to.

And they certainly don't intuitively know that they can right click on task bar icons to do anything, let alone close the app.
For most regular users (no doubt the intended target of the sort of sleeze who would use this for advertising and other nefarious purposes)there is only one way to shut down an app, and that's the rex X in the top right corner.

Re:Interesting

[Opportunist]

NO

Ban them from going full screen unless I, the owner of the machine where it wants to go full screen, agree to applications having the right to go full screen.

I don't care about signed code. I do care about my preferences!

flashblock - javablock

[MobyDisk]

I have Flashblock. Is there a Javablock? I'm surprised advertisers don't use Java more often. Java is one of those things that I would probably want to enable manually anyway, there's no need for it to be on all the time.

Opera

[Kenji DRE]

Nice find by the author.

btw, in Opera, in preference --> javascript option, I always have these 3 options unticked: "Allow resizing of windows", "Allow moving of windows", and "Allow script to hide address". So, the exploit the author mentioned doesn't work.

Flash

[Midnight Thunder]

Is having a full screen window in java any different from having a full screen window in Flash? If so, wouldn't it just be as easy to use Flah, since it is likely installed on more systems than Java is.

Re:Don't spread this!

[LarsG]

True, full disclosure is needed as the ultimate Damocles sword to force companies to fix problems. If Sun acts slowly on this one, I'm all in favour of plastering it all over the front page of the WSJ.

Sun was made aware of this problem 10 days ago, and nothing seems to suggest that they don't take the issue seriously. The time it takes them to write a fix, do regression testing and push a patch out the door will likely not change due to this story reaching the /. frontpage or not. The only thing that will change is the number of people that are made aware of the issue before the fix is available, and in consequence the number of phishers/spammers/etc that have the opportunity to exploit it. That is, increasing the Window of Exposure [schneier.com]

Re:Don't spread this!

[AVee]

Only promoting it and having it become a threat to them (i.e. lawsuits, users uninstalling Java on their systems, webpage designers moving away from it) will motivate them to fix the problem.

I'm all with you on forcing vendors to fixs security problems, but you make a rather blunt statement about SUN. So far I haven't seen any examples of security issues in Java being ignored by SUN so you'd better back up an accusation like that with some facts.

Re:Why I love IE

[AKAImBatman]

I had finally gotten tired of cleaning Java-based viruses off my machines

I believe you mean JavaScript viruses (very common) not Java viruses (extremely rare). Javascript viruses tend to be mostly harmless (stuff like, a popup you can't close) and are generally overblown by virus software. That's why your autoprotect software wasn't catching it: It wasn't that important. And erasing the files from your browser's cache after the fact is not really helpful either. You're not really "infected" per se. (Though some of those JS files are vectors into bigger and badder viruses.)

So when I hear stuff like this article, it's another reason I love IE. Dumping Java was the best move MS ever made on the browser.

That has to be the worst reason in existence to use IE. If you don't want Java, don't install it. FireFox won't do it automatically, nor will Opera, nor will Safari. Sticking with IE because it doesn't install a JVM by default is nothing more than a false sense of security.

parent rating: -1 FUD

Re:Don't spread this!

[LarsG]

You're setting up a false dichotomy, those are not the only two options available. In order to minimise the Window of Exposure, it is best to have it not blow up in media AND have it fixed as soon as possible.

I'm all for letting security issues blow up in media if the software vendor ignores them, there's nothing like a little public shaming to make public companies get their act together security-wise. But as long as the software vendor fixes reported problems in a timely fashion, the only thing that is achieved by a media blow up before a patch is available is that more potential exploiters are made aware of the issue.

Re:Analysis of the "hack", or how sum of parts bre

[jonathan3003]

I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.

I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.

Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.

Re:and the wet dream of any victim

[secPM_MS]

I have to agree. I just returned from BlackHat and DefCon. Before I went I had tended to view "Web 2.0" as "Cross Site Scripting as a Feature". My view is now more negative and bleak. The combination of cross site scripting, cross site request forgery, DNS poisioning / anti pinning, and active content on the user's browser's is exceptionally powerful. There were a number of attacks discussed that were very serious. Since these vulnerabilities are server driven, there is essentially nothing that the user can do to protect themselves other than to block the functionality. Unfortunately, the state of the art in server deployments is very bad, not only do web masters deploy a lot of vulnerable web apps, but lots of web servers are compromised by attackers for the purpose of spreading their malware.

The smart web is the dangerous web -- the smarts are all too likely to be out to get you.

As for me, with a few exceptions, if a web site needs lots of scripting to make it work, I don't need it or use it.

Windows/Microsoft Update is in my trusted site zone

I use Firefox with noscript to enable only what I need for mapping functionality

Otherwise, Java, javascript, flash, multimedia, are all off.

Hail to the Troll

[dsanfte]

That was quite possibly the finest example of elitist, childish, trolling bullshit I have read under this story so far.

Re:Don't spread this!

[JM78]

HA! but N00bs will click on stuff, SO WHAT, their computer will still not be infected...

You're right, N00bs WILL click on stuff. You've missed the point. There are plenty of ways to take advantage of people on the net without infecting their machine with a local virus. Not to mention that not everyone knows how to use CTL/ALT/DELETE and end processes (cause N00bs really need to be screwing with the task manager... riiight). EVERYONE is a N00b at some point - which leads me to my next point...

1. They deserve whatever they get.

That's an ignorant and callous statement. Just because someone focuses their learning on a subject other than computers/networking doesn't mean they deserve to get screwed. I hope your wife/grandma/parents/friends/yourself end up getting taken - maybe then you'll have a little respect for those who have other interests in life than learning everything there is to know about tech.

2. I'm pretty sure their computers (presuming they deserve to be called that) are already turned into spam zombies

So be part of the solution and help educate rather than whine about how dumb everyone else is. The worst kind of geek is the one who thinks somehow they're super-human and everyone else is dumb. Did you get beaten up by too many jocks in school?

Re:Don't spread this!

[BobPaul]

NoScript is extremely annoying. I've found that I have to enable it on almost every site I browse to, such that it's no longer worth my time for the perceived protection I gain. Blocking scripts that are able to do this sort of thing, though, should be added to the standard pop-up blocking capability.

Re:Don't spread this!

[Cougem]

You're pathetic. 99% of viruses and vulnerabilities only are a problem because of uneducated people using computers. Should we therefore settle for unstable OSes and browsers? Of course not. Do you want to HAVE to go to the task manager when you're browsing the net? Of course not, so stop spouting bullshit.

And your philosophy on people deserving shit is frankly disgusting. My mother has spent her life trying to help people in the caring profession, and is now just getting to grips with IT. I can see her being tricked into clicking one of those stupid adverts saying she's infected with a virus, or something, does she deserve to have massive ads pop up that she doesn't know how to close, full of pornography etc.? She'd be too embarrassed to ask me how to close it probably, and it would probably scare her from using the computer.

You're a disgusting slashdot user and no doubt quite a stupid person.

Re:Don't spread this!

[kestasjk]

Because JavaScript is used everywhere, and it's being used more and more. It's easy for you and me who can recognize that if buttons aren't working, or if the menu bars/java applet/flash vid isn't appearing, it's because NoScript is preventing some script from running, but laypeople might not realize, might think it's a broken site, and might not think to right click and enable JavaScript.

NoScript is great, but I wouldn't want to have to add "See the 'S' in the corner, right click it, blah blah, .." to all my JavaScript using site's FAQs.

Re:Don't spread this!

[Paperkirin]

All the online banking systems I've used in the UK are also (X)HTML and JS over SSH. Methinks the Australian banks might have over-thought this one a little too much...

Re:Don't spread this!

[polymath69]

Really. The AC is right; there can be no general solution. See also this article [csoonline.com]; search for Turing.

The approach you suggest, of "search for X, Y, and Z known bad things and don't allow them" is also a loser. For more on that, see Gödel, Escher, Bach [wikipedia.org], especially the part about "This record cannot be played on record player X."

Re:Don't spread this!

[whitehatlurker]

Opera will let you turn off Java globally and permit on a per-site basis. The No-Script add-on will allow you to do something similar for Firefox (as per TFA). There really is no reason to be caught by this.

Re:NoScript, but they don't work

[ZachPruckowski]

I do use Session Manager (or the Safari equivalent). But then the page that loaded the ad comes back, and the cycle repeats...

Re:Don't spread this!

[cbiltcliffe]

....leave their browsers in "whore mode".

It's not "whore mode". Whores get paid. It's actually "promiscuous slut mode".