The Java Popup you Can't Stop 480
An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser).
Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "
Don't spread this! (Score:5, Funny)
Re:Don't spread this! (Score:5, Funny)
Re:Don't spread this! (Score:5, Funny)
As for voting Bush. Since I'm not a US citizen, that would require use of the password '12345678'.
Re:Don't spread this! (Score:5, Insightful)
Re:Don't spread this! (Score:4, Insightful)
Sun was made aware of this problem 10 days ago, and nothing seems to suggest that they don't take the issue seriously. The time it takes them to write a fix, do regression testing and push a patch out the door will likely not change due to this story reaching the
Re:Don't spread this! (Score:5, Funny)
Re: (Score:3, Insightful)
I'm all with you on forcing vendors to fixs security problems, but you make a rather blunt statement about SUN. So far I haven't seen any examples of security issues in Java being ignored by SUN so you'd better back up an accusation like that with some facts.
Re:Don't spread this! (Score:4, Informative)
Maybe you don't do any banking on the internet, then. Here in Australia, at least, it is quite common for banks to use Java in an attempt to make their products cross platforms politely. And I, for one, welc... am perfectly happy with that, since I spent many years (once I had got over some of my luddite tendencies) whining about those who coded only for Winbloze boxes.
I haven't found many other sites that go in for Java in such a big way, but if I came across one that loaded a popup like that, I would simply blacklist it permanently in my hosts file. It simply doesn't pay the advertiser to piss people off that much.
Re:Don't spread this! (Score:4, Funny)
Sadly, most are not as aware and leave their browsers in "whore mode".
-nB
Re:Don't spread this! (Score:4, Funny)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re:Don't spread this! (Score:4, Interesting)
I mean, popup blocking is included in the browser, why not NoScript?
It's the user's computer, not the advertiser's; the user should have full control over what goes on.
Re: (Score:3, Insightful)
Re:Don't spread this! (Score:5, Funny)
The ghost of the Entscheidungsproblem [wikipedia.org] descends, with malice in its eyes.
*smack* Oof.
You are dealt 2501 hit points of damage.
Hint: there is no way to programatically determine whether a given program is malicious or not, for any sufficiently interesting system.
Re: (Score:3, Insightful)
Really. The AC is right; there can be no general solution. See also this article [csoonline.com]; search for Turing.
The approach you suggest, of "search for X, Y, and Z known bad things and don't allow them" is also a loser. For more on that, see Gödel, Escher, Bach [wikipedia.org], especially the part about "This record cannot be played on record player X."
Re: (Score:3, Insightful)
NoScript is great, but I wouldn't want to have to add "See the 'S' in the corner, right click it, blah blah,
Re: (Score:3, Interesting)
Now if the damn thing would stop opening a tab on its own every time it's updated -- that annoys me that an extension designed to stop unwanted stuff from running on your computer forces something to open that you don't want!
I filed a bug report/complaint. Nice to see this guy has time to shove stuff like this through instead of actually fix his software's rude behavior.
Re: (Score:3, Informative)
Information is meant to be FREEEEEEEEEEEEEEEEEEE!
Are we still confused about this phrase? I thought that was so 1990s....
Once again for those in the cheap seats: "information wants to be free" is roughly equivalent to the statement, "a gas wants to expand to fill its container." It's not wishful thinking. It's not a political statement. It's not an assertion of an ethical point of view. It's just a fairly easily demonstrated fact that no matter how hard you work to contain information (and arguably as a RESULT of how hard you work at it), said informatio
Re: (Score:2)
Personally, I'm glad for the warning.
Re: (Score:3, Funny)
Re:Why I love IE (Score:5, Insightful)
I believe you mean JavaScript viruses (very common) not Java viruses (extremely rare). Javascript viruses tend to be mostly harmless (stuff like, a popup you can't close) and are generally overblown by virus software. That's why your autoprotect software wasn't catching it: It wasn't that important. And erasing the files from your browser's cache after the fact is not really helpful either. You're not really "infected" per se. (Though some of those JS files are vectors into bigger and badder viruses.)
That has to be the worst reason in existence to use IE. If you don't want Java, don't install it. FireFox won't do it automatically, nor will Opera, nor will Safari. Sticking with IE because it doesn't install a JVM by default is nothing more than a false sense of security.
parent rating: -1 FUD
Re:Why I love IE (Score:4, Informative)
1. It merely used the JVM as a vector to install itself. As a virus, it was actually a Windows program and was reported as such by all virus tools in existence. Thus the original poster would not have known it as a "Java virus".
2. There are actually a wide variety of CWS variants. Some of them used the JVM vulnerability while others used other system vulnerabilities like a hole in the Windows Meta File [securiteam.com].
3. As another poster pointed out, it was a hole in Microsoft's VM that was exploited. Which would seem to be further evidence for moving away from IE.
Re:Don't spread this! (Score:5, Insightful)
I'm all for letting security issues blow up in media if the software vendor ignores them, there's nothing like a little public shaming to make public companies get their act together security-wise. But as long as the software vendor fixes reported problems in a timely fashion, the only thing that is achieved by a media blow up before a patch is available is that more potential exploiters are made aware of the issue.
Re: (Score:3, Insightful)
You're right, N00bs WILL click on stuff. You've missed the point. There are plenty of ways to take advantage of people on the net without infecting their machine with a local virus. Not to mention that not everyone knows how to use CTL/ALT/DELETE and end processes (cause N00bs really need to be screwing with the task manager... riiight). EVERYONE is a N00b at some point - which leads me to my next point...
1. They d
Re: (Score:3, Insightful)
And your philosophy on people deserving shit is frankly disgusting. My mother has spent her life trying to help people in the caring profession, and is now just getting to grips with IT. I can see her be
Who'd have thought it? (Score:4, Funny)
Re:Who'd have thought it? (Score:5, Funny)
Didn't you read the headline? You can't stop these things. Heck, the demo popped up an unkillable window on my AmigaOS box, and no JVM even exists for that...
Re: (Score:3, Funny)
I had no idea Java was so powerful.
Re: (Score:3, Informative)
Re: (Score:3, Informative)
and the wet dream of any victim (Score:3, Insightful)
Re: (Score:2, Insightful)
Actually that's not totally true, but telling people not to use a product may backfire if it means more people have heard of the product.
Re: (Score:2)
Re: (Score:3, Funny)
Exactly!
Re: (Score:3, Informative)
Gerald Ratner is the head of Ratners, a jewelers here in GB.
Gerald made some comment to the press about not understanding why anyone would buy the crap his shops sold as it was all second rate, tasteless junk (It is, he was being honest). Aparrently there was some outcry over this when the great unwashed who actually bought crap from his shops realised they were being ripped off.
(Disclaimer - I have not been into a Ratners in at least 20 years and have no intention o
Re:and the wet dream of any victim (Score:5, Insightful)
I don't want to be a ludite, but on 9 sites times out of 10 that require those technologies, there is very little benefit for the user.
Re: (Score:3, Funny)
OK then, let's disable multi-level menus, client side form validation, any sort of calculator, date pickers, multi-dimensional form inputs (where one choice branches the rest of the form), tree-menus, AJAX (which does have it's uses), font-size controllers, style switchers and all the other UI elements that make web sites even remotely usable.
Let's just do away with Gmail a
Re:and the wet dream of any victim (Score:4, Informative)
For instance, the multi-level menus on a website should not be the only means of browsing its pages. In fact, if the user were to turn off all of their scripting for their browser, the website should function minimally. Even with Gmail, you could change the site options to "basic HTML", which is found on the bottom of the page.
How about banking websites where you try to pay your bill and want to input the date? Most sites currently have a calendar pop-up for you to display a slick interface. But one should still be able to manually enter in a date that conforms to how the date is stored. (Or use server-side validation & conversion.) Again, inputting a date should not depend on a client-side calendar function since quite a few users use browsers that do not have any client-side scripting functionality.
I agree with your point that a lot of the sites we commonly use have features that depend on client-side scripting, but the website itself should still function if you choose to turn off the functionality on the browser level, and that is what the parent was talking about if I understood their point correctly.
Re:and the wet dream of any victim (Score:4, Insightful)
The smart web is the dangerous web -- the smarts are all too likely to be out to get you.
As for me, with a few exceptions, if a web site needs lots of scripting to make it work, I don't need it or use it.
Windows/Microsoft Update is in my trusted site zone
I use Firefox with noscript to enable only what I need for mapping functionality
Otherwise, Java, javascript, flash, multimedia, are all off.
so how do i know (Score:5, Funny)
oh shit
pfft (Score:4, Funny)
don't be dense (Score:4, Funny)
NoScript, but they don't work (Score:4, Informative)
As always, with script-related security flaws, the easiest solution is NoScript, of course.
However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.
Re:NoScript, but they don't work (Score:5, Informative)
It worked on my XP system and covered everything but the Start Menu and Task Bar. Getting it to close was simply a matter of right clicking on Firefox in the Task Bar and closing it down. It's certainly an annoyance, but it's not as bad as the article makes it seem to be. Anybody with a brain (which admittedly excludes about 60% of the population) can figure out how to close Firefox and thus the Java App.
Re:NoScript, but they don't work (Score:4, Insightful)
In my experience the vast majority of windows users don't right click on anything, unless they have been specifically instructed to.
And they certainly don't intuitively know that they can right click on task bar icons to do anything, let alone close the app.
For most regular users (no doubt the intended target of the sort of sleeze who would use this for advertising and other nefarious purposes)there is only one way to shut down an app, and that's the rex X in the top right corner.
Re:NoScript, but they don't work (Score:4, Informative)
The start bar went behind the app, bringing up task manager and shutting down the app wasn't as easy as you would think because the java app eats focus and makes clicking the "End Process" and the Warning message difficult.
I managed it after a few mistypes and jabs at the button.
Its possible to close it, but it doesn't play nice at all.
Re:NoScript, but they don't work (Score:4, Interesting)
That said, I've met many in fields directly relating to computing (CS, Computer Engineering, etc) who were basically computer illiterate. I'd contend they didn't have brains, as they weren't useful for much outside their field from my observations either... (I worked tech support in college, so I was all over campus working on computers.)
Re: (Score:3, Insightful)
Re:NoScript, but they don't work (Score:5, Funny)
Firefox (Score:3, Informative)
Firefox (and Proxomitron) (Score:3, Informative)
yeah, is this a joke? i tried disabling everything i could think of while keeping java enabled - nothing.
btw, i am a dedicated proxomitron user (disabled for a moment to try the demo). never see any ads or pop-ups ...
Why? (Score:2, Interesting)
Re:Why? (Score:4, Informative)
Indeed. That sort of thing usually doesn't end well. Ask the guys behind X10 [wikipedia.org] for example.
Re:Why? (Score:5, Insightful)
Re: (Score:2)
Re:Why? (Score:5, Interesting)
The problem with ads is that, apparently, the annoying ones are exactly the ones that work. People like you and me hate them, but we're never going to buy their **** anyway. Those irritating jingles that get played endlessly on TV ads irritate the **** out of us, but they attract the attention (and memory) of those gullible enough to buy the goods.
I'm not sure how much this is really backed up by evidence and how much is just "accepted wisdom" in the marketing community, though. There was a particular local firm advertising on the biggest local radio station in these parts a few years ago. They basically took traditional melodies from things like popular nursery rhymes, and rewrote the lyrics to mention their company name repeatedly and the product they were pitching. After a while, they even ran an ad that had the lyrics "We know the songs get on your nerves", which I remember all too well, perhaps making the point for them. That was, however, the last ad they ever ran on that radio station as far as I can tell. I'm not sure what happened to the company...
To bring this back to the current context, though, the theory seems entirely reasonable. Most of us will never support spammers or get caught by phishing, but those stupid enough to reply to bank password checks or ads for legal software downloads are probably also the ones stupid enough to click on the slightly odd-looking dialog warning about a virus attempting to install itself through your web browser. Sadly, given the tiny running costs, it only take a very small proportion of people to be idiots for the spammers/adware merchants to make an awful lot of money.
Apply Directly To the Forehead. (Score:2)
Re: (Score:3, Funny)
Obvious solution? (Score:2)
Problem off course is that the avrage websurfer is unlikely to a) know how to do it, and b) know what sites to trust.
Re:Obvious solution? (Score:5, Interesting)
Re:Obvious solution? (Score:5, Informative)
Re: (Score:2, Troll)
Fortunately, I don't give two shakes of a rat's derriere about the average websurfer. In fact, I prefer that they see a deluge of ads, because:
1) It makes ads easier to block (advertisers only use blocker-circumvention methods when forced to);
2) As people complain, ads will evolve into less obnoxious forms (such as the entirely palateable Google text-ads);
3) Although I in no way feel guilty about "consuming" content voluntarily placed onli
Re: (Score:2)
Yes. I've found that seeing "slashdot.org" in the address bar is usually a pretty good indicator... ; )
move along, nothing to see here. (Score:2, Informative)
winkey and ctrl alt del seemed to work fine (Score:2, Interesting)
Silly article (Score:3, Informative)
There's virtually no chance anyone would be fooled into doing anything but killing their browser, and Java is by no means alone in causing that kind of issue.
Nothing to see here, move along...
An interesting markettign technique... (Score:2, Insightful)
I already use NoScript, but this sort of behaviour doesn't enamour me to the lead author.
Re:An interesting markettign technique... (Score:5, Insightful)
If he were selling his software commercially, or people were being directed from the Slashdot front page to a page full of ads, then you might have a point, but that's not the case here. The guy has made an obviously useful tool, gives it away for free, and is warning about an obviously relevant threat. The most he's likely to get out of this is a few small donations or a few more page hits on his site, perhaps making enough to cover the server costs for hosting a popular Firefox extension for a while and a bit of beer money. I think your post is way over the top.
So how about how to stop this? (Score:5, Interesting)
Just a thought.
Re: (Score:2)
2)
3) NO PROFIT!
Can't even switch Workspaces (Score:3, Interesting)
Dont worry, I'll turn off the lights on my way out (Score:3, Funny)
Frontier justice on the fringes of the web (Score:2)
Remind me: Why do we have applets again? (Score:5, Interesting)
This isn't a flame....Java on the desktop is awesome and I love it.
*runs to the hills*
Re: (Score:3, Interesting)
Re:Remind me: Why do we have applets again? (Score:5, Informative)
Done.
Yahoo uses Java for many of their online games. You might not play them, but a lot of people do. And that "lot of people" will probably leave Java enabled and be victim to this crap.
Layne
Redux (Score:2, Interesting)
I find it hard to justify as I don't know a fix can be done and TESTED on all configurations (especially as wide as Java), in 10 days. Heck, full inhouse teams take *months* to roll out tested windows updates. I won't classify it as responsible disclosure.
2. The functionality is achievable by Jav
Re: (Score:3, Insightful)
Fixed.
Interesting (Score:2)
Re: (Score:2)
Re:Interesting (Score:5, Insightful)
Ban them from going full screen unless I, the owner of the machine where it wants to go full screen, agree to applications having the right to go full screen.
I don't care about signed code. I do care about my preferences!
Xorg and "xkill", nuff said. (Score:2)
*BLAM!*
Extra points to whoever makes an xkill clone that has configurable sound when you shoot the app, from Luger 9mm, Colt
This will lead to (Score:2, Funny)
1. Java Popups 1.0
2. Java Popups on Struts
3. Java Popups 1.1. (Not compatible with 1.0 or struts, needs a patch to SunOS to work)
4. JPEE. (Java Popups, Enterprise Edition- Not compatible with 1.1)
5. Java Popups for Mobile Devices.
6. Java Popups for Mobile Devices, Enterprise Edition.
HA, and you thought that Java was going to make this easy for Phishers and Advertizers.
Of course, the obligatory workaround... (Score:2)
Tools -> Options -> Content -> Uncheck "Enable Java"
Honestly, unless you have a legitimate reason to run Java applets, I don't see why to keep it enabled. I have found very few legitimate Java applets during the course of my normal browsing; most of them are something like "rippling water effect" or "annoying site counter".
How about open java? (Score:2)
This, of course, assume you allow Java (Score:3, Insightful)
If you, like me, don't allow Java or any other plug-in to run without the browser first asking you if it is OK to run, and if you don't allow plug-ins to run without having a VERY CLEAR idea of where they are coming from and what they will do, and do not run any such plug-in save from a VERY trusted source, then this will be very hard for an advertiser to exploit.
All the more reason why ALL plug-ins should be "user interaction required before use" BY DEFAULT.
I get it but... (Score:2)
Clearly Sun will have to act on this very quickly.
Limiting unsigned applets to 600x480 seems like a good first step. The problem of course is does Frame know for sure that it's distant ancestor is an applet? In theory that's the idea behind the sandbox -- but clearly the sand has escaped and needs vacuuming.
Also -- I'm disappointed in
Obligatory Linux Elitism (Score:4, Funny)
Thing #397 That You Can Do In Linux But Can't In Other Popular Desktop OS's:
1. Ctrl+Atl+F1
2. Log In
3. missile-launch -f --target-from-process java
4. killall java
4a. killall firefox-bin (if necessary)
Actually this story is strangely coincidental; just a few minutes ago, I was trying to show a coworker a cool graphical demo of different sorting algorithm efficiencies, but I didn't have the Java plugin installed. Still don't.
Adblock works, too (Score:3, Informative)
Popups, Wet Dreams... (Score:3, Funny)
Lovely (Score:5, Funny)
The one sure way to endear me to a product and cause me to whip out my credit card is to pop up a window over my entire screen that I cannot remove. This type of "in your face" advertising is exactly what reluctant consumers like myself need.
flashblock - javablock (Score:3, Insightful)
Analysis of the "hack", or how sum of parts breaks (Score:5, Informative)
1. It doesn't use any "go fullscreen" API
2. It's a failure of assuming sum of parts of software is as secure is as its components. It can be "less" secure than any of the component taken in isolation. Point in case is the set of APIs used:
a) Toolkit.getScreenSize(): Used to find size of desktop. Nothing evil here
b) Window.setBounds(): Used to set size of window. Nothing evil, except set it larger than screen size, hence hiding the applet warning by moving it "off screen"
c) Window.setAlwaysOnTop(): Used to set the window on top. Essential for displaying "Modal" dialog boxed like error boxes. Nothing sinister here.
However, the shit happens because all the things taken together can be dangerous. Specially, passing "System Modal" to setAlwaysOnTop().
I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.
Any more ideas shall be appreciated.
Oh, and I again despise him for an irresponsible disclosure and presenting the hack in easily reverse engineered, fully functional code.
Re:Analysis of the "hack", or how sum of parts bre (Score:5, Insightful)
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.
I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.
Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.
Flash (Score:3, Insightful)
Re: (Score:3, Insightful)
Why is that? What is "worse" about it than Ecmascript?
For extra credit, explain why Java Web Start is worse than downloading a traditional application and installing it...
Lemmings...gotta love 'em.
Re: (Score:2)
JavaScript is natively supported in the browser. Java requires an additional piece of software. Browsing the web in a secure mode should rely on the fewest number of software elements in order to minimize the opportunities for exploits. I'm not saying that only having one program running will prevent problems, but, as long as you keep that program patched appropriately, you should be safer than running two.
Layne
Re:Doesn't work.. (Score:4, Informative)