The Java Popup you Can't Stop

An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser). Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "

Why?

[techiemikey]

yes, but who would want their product to become associated with what would quickly become the most annoying ad basis ever invented?

winkey and ctrl alt del seemed to work fine

[postermmxvicom]

So...did I miss something? But winkey and ctrl alt delete did fine for me. Still, I *am* impressed...it just seemed to be billed as more than it was. Or is the joke on me for clicking the link in the first place? ::runs away to sign up for lifelock::

So how about how to stop this?

[RaigetheFury]

I'd really like to see counter methods posted as (special) comments under articles like these. "Links to: How to prevent this". It would be really nice if we could use our mod points to "mark" a comment as a solution that an administrator could then move it to the top. Why the administrator involvement? Simple, to prevent the teams of people who go around and exploit this type of function on Yahoo. This would still allow Slashdot to work off the same random moderator point system it has while keeping some semblance of order. They could play around with how many mod points a comment needs before it can before an admin is notified.

Just a thought.

Can't even switch Workspaces

[BobPaul]

FF on Ubuntu 7.04 using Sun's Java (1.5 I believe). The Java one works wonderfully(?) not only filling my full dual monitor setup, but preventing me from clearing it using any method I tried, including hitting the hotkey to change Gnome workspaces. The only thing that did work was switching to a virtual console at which point I could kill firefox-bin.

Remind me: Why do we have applets again?

[Toreo asesino]

Seriously, name me one "house-hold" name website that uses Java applets anyway. Can't we just have it switched off by default? I like Java as a broad technology, but I'm finding applets increasingly irrelevant - interactive rich sites are being taken over by flash, ajax, and the probably-to-be-mainstream-soon Silverlight/Moonlight.

This isn't a flame....Java on the desktop is awesome and I love it.

*runs to the hills*

Redux

[mritunjai]

1. The bug was filed on 19 JUL (less than 10 days back) and henceforth made public when no "visible" action was seen from Sun, in the interim Sun asked to keep the issue confidential, but it was made public anyways.

I find it hard to justify as I don't know a fix can be done and TESTED on all configurations (especially as wide as Java), in 10 days. Heck, full inhouse teams take *months* to roll out tested windows updates. I won't classify it as responsible disclosure.

2. The functionality is achievable by Javascript through LiveConnect present in Opera and Gecko based (Mozilla) browsers.

Great find, yep. But terribly executed and extremely irresponsible just to gain brownie points for NoScript!

Re:Obvious solution?

[Ed Avis]

The whole point of Java was that it was super-sandboxed when running applets and you could enable it for all sites. To prevent phishing, any windows created by a Java applet would have to show 'Warning: Applet window' and a big red border or something like that. I wonder what went wrong to allow this attack, and whether it has been in Java since the beginning (i.e. would work even with Netscape 2.0) or takes advantage of some recently added kewl feature that forgot to do sandboxing properly.

Re:Remind me: Why do we have applets again?

[Megane]

You've got a good point. I'm going to turn off Java in my Mozilla and see what the result is. I can't remember the last time I saw java-man showing that the plug-in was being loaded, and I blame Flash. Flash is faster to load the plug-in, and it supports lots of graphical and multi-media stuff inherently, not as an add-on library.

Re:Why?

[Anonymous Brave Guy]

The problem with ads is that, apparently, the annoying ones are exactly the ones that work. People like you and me hate them, but we're never going to buy their **** anyway. Those irritating jingles that get played endlessly on TV ads irritate the **** out of us, but they attract the attention (and memory) of those gullible enough to buy the goods.

I'm not sure how much this is really backed up by evidence and how much is just "accepted wisdom" in the marketing community, though. There was a particular local firm advertising on the biggest local radio station in these parts a few years ago. They basically took traditional melodies from things like popular nursery rhymes, and rewrote the lyrics to mention their company name repeatedly and the product they were pitching. After a while, they even ran an ad that had the lyrics "We know the songs get on your nerves", which I remember all too well, perhaps making the point for them. That was, however, the last ad they ever ran on that radio station as far as I can tell. I'm not sure what happened to the company...

To bring this back to the current context, though, the theory seems entirely reasonable. Most of us will never support spammers or get caught by phishing, but those stupid enough to reply to bank password checks or ads for legal software downloads are probably also the ones stupid enough to click on the slightly odd-looking dialog warning about a virus attempting to install itself through your web browser. Sadly, given the tiny running costs, it only take a very small proportion of people to be idiots for the spammers/adware merchants to make an awful lot of money.

Re:Doesn't work..

[lhorn]

Iceweasel 2.0.0.6 seems to stop it with the 'Warn me when sites try to install add-ons' option enabled, even if I have Java enabled.

Re:Remind me: Why do we have applets again?

[jonathan3003]

Yahoo uses Java for many of their online games. You might not play them, but a lot of people do. And that "lot of people" will probably leave Java enabled and be victim to this crap.

This actually demonstrates the whole point of using noscript - site specific control of scripts, flash and Java.

Re:Don't spread this!

[Kadin2048]

To be honest I have no idea why it's not. It's such a blisteringly good idea, it seems ridiculously stupid to not include it in a browser.

I mean, popup blocking is included in the browser, why not NoScript?

It's the user's computer, not the advertiser's; the user should have full control over what goes on.

Re:NoScript, but they don't work

[BobPaul]

Computer illiterate people aren't stupid, you know, just computer illiterate. Many of them would probably be able to patronize you in a similar manner if you were to encounter a trivial problem you were unable to solve in their field of study.

Some of the most computer literate people I've met are not from my field of study (Electrical Engineering). I've met guys who can easily match my coding skills from Chemistry, English, Music, Math, and Industrial Engineering. Many of them, for whatever reason, had to use the campus super computer as part of their research and were at least attempting to write massively parallel applications, something I've never stepped anywhere near. The English guy was just a straight up geek, and the Musician was coding his own audio filter plug ins to improve his desktop audio software.

That said, I've met many in fields directly relating to computing (CS, Computer Engineering, etc) who were basically computer illiterate. I'd contend they didn't have brains, as they weren't useful for much outside their field from my observations either... (I worked tech support in college, so I was all over campus working on computers.)

Default SecurityManager preventing worst-case?

[jpavel]

I'm running a default 1.5.0_07 build on PPC OS X, with the MRJ plugin for Firefox, and I was watching the Java console when I tried his sample evil popup; I've put the stack trace below, but the gist is that

java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)

it wouldn't let the window be always on top, and indeed it wasn't; I could use my desktop and other apps pretty normally. This isn't the default security policy?

~Jesse

Wed Aug 08 11:57:08 EDT 2007 JEP creating applet FullScreen (http://evil.hackademix.net/fullscreen/classes/)
java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
        at java.security.AccessControlContext.checkPermission (AccessControlContext.java:264)
        at java.security.AccessController.checkPermission(Acc essController.java:427)
        at java.lang.SecurityManager.checkPermission(Security Manager.java:532)
        at java.awt.Window.setAlwaysOnTop(Window.java:1358)
        at FullScreen.start(FullScreen.java:30)
        at sun.applet.AppletPanel.run(AppletPanel.java:418)
        at jep.AppletFramePanel.run(AppletFramePanel.java:176 )
        at java.lang.Thread.run(Thread.java:613)

Re:Don't spread this!

[Buran]

Because FF is designed to be bare-bones and the user adds whatever they want on their own. It's exactly as designed.

Now if the damn thing would stop opening a tab on its own every time it's updated -- that annoys me that an extension designed to stop unwanted stuff from running on your computer forces something to open that you don't want!

I filed a bug report/complaint. Nice to see this guy has time to shove stuff like this through instead of actually fix his software's rude behavior.

Re:Don't spread this!

[TooMuchToDo]

Really? You can't determine intent based on the actions the script wants to take? Example: Resizing a window to within reasonable tolerances = Ok. Resizing window full screen = Ask the user if he wants to proceed with WTF action.