The Java Popup you Can't Stop 480
An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser).
Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "
Why? (Score:2, Interesting)
winkey and ctrl alt del seemed to work fine (Score:2, Interesting)
So how about how to stop this? (Score:5, Interesting)
Just a thought.
Can't even switch Workspaces (Score:3, Interesting)
Remind me: Why do we have applets again? (Score:5, Interesting)
This isn't a flame....Java on the desktop is awesome and I love it.
*runs to the hills*
Redux (Score:2, Interesting)
I find it hard to justify as I don't know a fix can be done and TESTED on all configurations (especially as wide as Java), in 10 days. Heck, full inhouse teams take *months* to roll out tested windows updates. I won't classify it as responsible disclosure.
2. The functionality is achievable by Javascript through LiveConnect present in Opera and Gecko based (Mozilla) browsers.
Great find, yep. But terribly executed and extremely irresponsible just to gain brownie points for NoScript!
Re:Obvious solution? (Score:5, Interesting)
Re:Remind me: Why do we have applets again? (Score:3, Interesting)
Re:Why? (Score:5, Interesting)
The problem with ads is that, apparently, the annoying ones are exactly the ones that work. People like you and me hate them, but we're never going to buy their **** anyway. Those irritating jingles that get played endlessly on TV ads irritate the **** out of us, but they attract the attention (and memory) of those gullible enough to buy the goods.
I'm not sure how much this is really backed up by evidence and how much is just "accepted wisdom" in the marketing community, though. There was a particular local firm advertising on the biggest local radio station in these parts a few years ago. They basically took traditional melodies from things like popular nursery rhymes, and rewrote the lyrics to mention their company name repeatedly and the product they were pitching. After a while, they even ran an ad that had the lyrics "We know the songs get on your nerves", which I remember all too well, perhaps making the point for them. That was, however, the last ad they ever ran on that radio station as far as I can tell. I'm not sure what happened to the company...
To bring this back to the current context, though, the theory seems entirely reasonable. Most of us will never support spammers or get caught by phishing, but those stupid enough to reply to bank password checks or ads for legal software downloads are probably also the ones stupid enough to click on the slightly odd-looking dialog warning about a virus attempting to install itself through your web browser. Sadly, given the tiny running costs, it only take a very small proportion of people to be idiots for the spammers/adware merchants to make an awful lot of money.
Re:Doesn't work.. (Score:2, Interesting)
Re:Remind me: Why do we have applets again? (Score:2, Interesting)
Yahoo uses Java for many of their online games. You might not play them, but a lot of people do. And that "lot of people" will probably leave Java enabled and be victim to this crap.
This actually demonstrates the whole point of using noscript - site specific control of scripts, flash and Java.
Re:Don't spread this! (Score:4, Interesting)
I mean, popup blocking is included in the browser, why not NoScript?
It's the user's computer, not the advertiser's; the user should have full control over what goes on.
Re:NoScript, but they don't work (Score:4, Interesting)
That said, I've met many in fields directly relating to computing (CS, Computer Engineering, etc) who were basically computer illiterate. I'd contend they didn't have brains, as they weren't useful for much outside their field from my observations either... (I worked tech support in college, so I was all over campus working on computers.)
Default SecurityManager preventing worst-case? (Score:2, Interesting)
java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
it wouldn't let the window be always on top, and indeed it wasn't; I could use my desktop and other apps pretty normally. This isn't the default security policy?
~Jesse
Wed Aug 08 11:57:08 EDT 2007 JEP creating applet FullScreen (http://evil.hackademix.net/fullscreen/classes/)
java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
at java.security.AccessControlContext.checkPermissio
at java.security.AccessController.checkPermission(Ac
at java.lang.SecurityManager.checkPermission(Securit
at java.awt.Window.setAlwaysOnTop(Window.java:1358)
at FullScreen.start(FullScreen.java:30)
at sun.applet.AppletPanel.run(AppletPanel.java:418)
at jep.AppletFramePanel.run(AppletFramePanel.java:17
at java.lang.Thread.run(Thread.java:613)
Re:Don't spread this! (Score:3, Interesting)
Now if the damn thing would stop opening a tab on its own every time it's updated -- that annoys me that an extension designed to stop unwanted stuff from running on your computer forces something to open that you don't want!
I filed a bug report/complaint. Nice to see this guy has time to shove stuff like this through instead of actually fix his software's rude behavior.
Re:Don't spread this! (Score:2, Interesting)