Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Mozilla The Internet

IE Vulnerable to Cross-Browser Spyware Attack 619

An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
This discussion has been archived. No new comments can be posted.

IE Vulnerable to Cross-Browser Spyware Attack

Comments Filter:
  • Caveat (Score:5, Informative)

    by Kimos ( 859729 ) <kimos...slashdot@@@gmail...com> on Monday March 14, 2005 @02:46PM (#11935537) Homepage
    IF you're running Java and you click 'Yes' to the security warning...
    • Re:Caveat (Score:5, Insightful)

      by Jugalator ( 259273 ) on Monday March 14, 2005 @02:59PM (#11935728) Journal
      ... and unfortunately, the system default is to have Java enabled, and the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.
      • Re:Caveat (Score:5, Insightful)

        by Tim C ( 15259 ) on Monday March 14, 2005 @03:19PM (#11935966)
        the user default is to answer "Yes" to any dialog boxes popping up while browsing the web.

        That's true, and is why I don't believe that any OS or browser is going to save us from malware. Until the average user learns safe computing practices, they're going to continue installing stuff they later wish they hadn't; in time even if they do stop running as admin, they'll get used to typing in their admin (or root) username and password.
        • Re:Caveat (Score:5, Interesting)

          by nacturation ( 646836 ) <nacturation&gmail,com> on Monday March 14, 2005 @03:26PM (#11936047) Journal
          Even on the Mac, where you're prompted to enter your username and password to grant temporary root access for an installer. What's to stop an application putting up its own fake security dialog during the install, thereby bypassing the built-in Mac security dialog? It's not like it's impossible to fake that dialog, then not only can the application have root access to do whatever it needs to, but it can also save your username and password to re-use later or send to a third party for a bit of remote fun.
          • Secure login (Score:5, Insightful)

            by grahamsz ( 150076 ) on Monday March 14, 2005 @03:59PM (#11936472) Homepage Journal
            A nice intelligent choice with WinNT was the "Press Alt-Ctl-Delete" to login.

            Since applications shouldn't be able to hijack that combination it adds additionaly security.

            You can have a lot of fun with micking login boxes. Back when I was in uni we'd screw around with each others laptops. I got a terminal window on a friends machine and aliaed the su command to a perl script which would prompt for a password, send the password to my webserver, tell the user it was wrong, and then unalis the command so the next try would go to the real su.

            Easy to do, but you'd have to be very on top of things to spot it.

            • Re:Secure login (Score:3, Informative)

              by Xoder ( 664531 )
              Actually, the three magic fingers doesn't do what its supposed to anymore. You can now create a virtual desktop, and do whatever you like with that key combo. I read about it in DDJ. MS is happy to have made it, since it makes the kiosk software people happy.

              and Re: the script: devilishly clever, sir.
            • Re:Secure login (Score:4, Informative)

              by m50d ( 797211 ) on Monday March 14, 2005 @05:14PM (#11937382) Homepage Journal
              Erm, it took about a week for a trojan which intercepted the ctrl-alt-del to come out.
          • Re:Caveat (Score:3, Informative)

            by MrLint ( 519792 )
            The macosx has a details turndown to show 'requested right' which in my test case is system.install.root.user

            and application /Applications/Utilities/Installer.app

            It should be noted that this is from an mkpg, Im looking to see if I have a standalone application installer around
        • Re:Caveat (Score:3, Insightful)

          by iabervon ( 1971 )
          Recent versions of Firefox, at least for installing plugins, don't pop up a dialog box. Instead, there is an unobtrusive bar at the top of the window, which essentially says, "if you're missing something on this page, here's how to get it". A very similar bar is used to let you see pop-up ads, in case you actually wanted something in a pop-up. The user default may be to answer "Yes" to any dialog boxes, but they default to not messing with anything they don't have to.
      • Re:Caveat (Score:5, Funny)

        by rreyelts ( 470154 ) on Monday March 14, 2005 @03:26PM (#11936046) Homepage

        Funny that. The dialog box has three (count them - 1, 2, 3) exclamation icons, has a title that says "Warning - Security", explicitly states that the certificate is invalid and issued by an untrusted company, and has "No" as the default selected button. What more can be asked of Sun?

        I suggest that Java make loud, obnoxious noises and shout Monty Python quotes at the user at an intolerable volume if he perchances to select "Yes", against all warnings.

        Exploit, my ass.

        • Re:Caveat (Score:5, Insightful)

          by Anonymous Coward on Monday March 14, 2005 @03:45PM (#11936292)
          Since you asked...

          Create a dialog box with all the warnings. Give it an OK and a Cancel button. Closing it or clicking Cancel always causes the applet not to run.

          Give is a checkbox, that says "Allow this potentially dangerous applet to run without security restrictions." Leave it unchecked.

          Clicking OK while it's unchecked also causes the applet not to run.

          Now the user can't accidently click yes, as two clicks are needed to unlock the applet. You can't accidently make the user install the applet by typing "Y" when the dialog suddenly pops up.

          That's how all these "do something insecure" dialogs should be. I should have to explicitly check off "OK" and then hit the "Accept" button. That includes Firefox's XPI install system, which the site mentioned also tries to exploit.
          • Re:Caveat (Score:5, Interesting)

            by RetroGeek ( 206522 ) on Monday March 14, 2005 @04:17PM (#11936690) Homepage
            I always make the user type "VERIFY" into an entry field for any potentially disasterous action.

            Hard for them to say they didn't see it.
          • Re:Caveat (Score:3, Insightful)

            I once wrote a spoof installer which offered "Install a virus" as an option. You would be surprised how many people select that option!

            Even if one option was "transfer your bank account contents to an unidentified account in Nigeria" some people would still choose it.

            Some people are beyond hope.

          • by schon ( 31600 ) on Monday March 14, 2005 @05:20PM (#11937471)
            Most (all?) Japanese cars have a "feature" that the door won't lock unless you're holding the handle up (open, whatever.)

            I heard that this was a measure to prevent people from locking their keys in their car. The Japanese car manufacturers decided that if people have to lock the door, then hold the handle in the open position as they close the door, it will prevent them from accidentally locking their keys in the car.

            Sounds nice in theory... until the day I locked the keys in my Civic. It was then that I noticed that because I couldn't lock the car door without holding up the handle, that I had gotten into the habit of *always* holding up the handle while closing the door, even when I didn't want to lock it.

            I've known a lot of people who have locked their keys in their Japanese car, they told me the same thing.

            So, instead of being a mechanism to prevent people from accidentally locking their keys in their car, it was instead a mechanism to train people to hold their door handle up when closing the car door.

            You can't fix a behavioural problem with a technological solution.
            • by dcam ( 615646 ) <david@@@uberconcept...com> on Monday March 14, 2005 @08:12PM (#11939244) Homepage
              You can't fix a behavioural problem with a technological solution.

              Not trying to nitpick, but this is incorrect. It comes out on slashdot on awful lot (particluarly in relation to spam). It is better said as: "You cannot fix every behavioural problem with a technological solution."

              Using another car example, switching the car off while the lights are on makes the car beep. This, in my experience, has largely solved the problem of leaving the lights on and getting a flat battery.

              I am not certain if this has had the same effect in the wider population, but it is an example of where a behavioural problem of mine has been fixed by technology.
    • Re:Caveat (Score:5, Insightful)

      by sfjoe ( 470510 ) on Monday March 14, 2005 @03:03PM (#11935779)


      The security warning explicitly states, "The security certificate was issued by a company that is not trusted".

      I mean, what do people expect? A little hobgoblin to pop out of their computer and whack them in the head with a mallet if they try to click 'yes'?

      • Re:Caveat (Score:3, Funny)

        by Klivian ( 850755 )
        >A little hobgoblin to pop out of their computer and whack them in the head with a mallet
        Hey, that was actually a great idea for a new family of USB gadgets.
      • re: caveat (Score:3, Insightful)

        by ed.han ( 444783 )
        you're assuming that people read these warnings. i think it's fair to say that a goodly number of users are in fact not really reading them. maybe the little hobgoblin wouldn't be such a bad idea after all... :>

        ed
      • by Anonymous Coward
        BUG REPORT:

        When I visit a web page and it prompts me to install something, a little hobgoblin pops out of my computer and whacks me on the head with a mallet when I click yes.

        After this happens, my computer slows down and I get lots of popups. I think the hobgoblin has infected me with a virus. Please disable the hobgoblin so I can install things from websites easier. And stop it from infecting me with viruses! Can't you guys program a computer right?
      • Re:Caveat (Score:5, Insightful)

        by m50d ( 797211 ) on Monday March 14, 2005 @03:23PM (#11936019) Homepage Journal
        The user has seen enough web dialogs to know that when you see one, you click yes. If you try to read them all you'll go mad, if you click no that cool game bob told you about doesn't work. So you click yes on everything.
      • Re:Caveat (Score:5, Funny)

        by Auckerman ( 223266 ) on Monday March 14, 2005 @03:28PM (#11936066)
        ""The security certificate was issued by a company that is not trusted."

        While that read likes perfect valid english to me, knowing things that are irrelevant to my daily life and all, most people would NEVER understand that statement.

        A clearer statement like "It is probable that a VIRUS is trying to install on your computer, do you want to STOP this VIRUS from installing" with a "yes" and "no" for the check box with "yes" the default.
    • Re:Caveat (Score:5, Insightful)

      by nacturation ( 646836 ) <nacturation&gmail,com> on Monday March 14, 2005 @03:23PM (#11936013) Journal
      ... and after you click "Yes" to the warning, you have granted the Java code permission to modify anything on your hard drive. So, the fact that it modifies IE is really incidental. It could just as easily modify Firefox, Mozilla, OpenOffice.org, Thunderbird, emacs, gcc, and any other application it wants to.

      A better title for this article would have been "Every application vulnerable to attack due to bug in either Firefox and/or Sun's JRE".
      • Re:Caveat (Score:5, Informative)

        by Deathlizard ( 115856 ) on Monday March 14, 2005 @04:05PM (#11936543) Homepage Journal
        what makes this even more scary is that it isn't technicially a bug.

        There is nothing stopping the spyware company from getting a valid signature and packaging it. It happens all the time in IE. In fact, most of the spyware installers out there for IE are digitally signed.

        Using Java, they could easily socially engineer you to download and trust this thing, use Java to find out what OS your running, download spyware/rootkits/etc for your particular PC OS and own your box totally independant of IE.

        A lot of the reason why Firefox is so safe is because it doesn't support ActiveX and prompt you all day to install the legacy scumware stuff. If it did support ActiveX in any way it would be prompting you just like IE would, People would click on yes just like they do in IE, and people would get owned just like they do with IE. Since it supports Java, however, they will just gamble that you have Java and get you to do the same thing they were doing in ActiveX, only with Java instead.

        The Spyware writers know that 99% of computer users dont know what they are doing and they exploit that, Pure and simple, And there's nothing that Bill Gates, Linus Torvalds, or Steve Jobs is going to do about that. This is what Kevin Mitnick has been preaching for some time now, that social Engenering is the hackers favorite tool, and until anyone who writes internet enabled code understand that, there's going to be a really big security problem in the future.
  • No problem. (Score:5, Interesting)

    by rackhamh ( 217889 ) on Monday March 14, 2005 @02:46PM (#11935539)
    VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

    Oh, well, it's no problem then. It's not like anybody uses THAT...
  • who fixes it? (Score:3, Insightful)

    by dirvish ( 574948 ) <dirvish&foundnews,com> on Monday March 14, 2005 @02:46PM (#11935542) Homepage Journal
    It will be interesting to see if there is the usual 24 hour turnaround on a fix for this from the Mozilla Foundation. Lord knows Microsoft probably won't lift a finger to fix it.
    • This is an IE problem, not Firefox. The only way of fixing it will be uninstalling Internet Explorer and i dont think Microsoft will find that amusing at all if Mozilla went ahead and did that!

    • by Bob Loblaw ( 545027 ) on Monday March 14, 2005 @02:50PM (#11935607)
      Sure they'll fix it ... by silently uninstalling Firefox using their next IE "this fixes numerous security flaws" super-updates.
    • Re:who fixes it? (Score:4, Insightful)

      by zootm ( 850416 ) on Monday March 14, 2005 @03:22PM (#11936008)
      This is a "vulnerability" in Java, not Mozilla. The reason it's "cross-browser" is because it's written in Java, and will work on any browser using Sun's JRE (and probably any other compliant one). It's not even a vulnerability in Java, strictly speaking -- it's a signed applet, with an invalid signature, and the user has to click past an ugly-looking "this is unsafe!" error page to infect themselves.
  • by Zone5 ( 179243 ) on Monday March 14, 2005 @02:47PM (#11935543)
    "IE vulnerable to new attack" - shouldn't we find some sort of shorthand for this, since it happens so often?

    I have to imagine Slashdot's bandwidth saving would be enormous.
  • by LittleLebowskiUrbanA ( 619114 ) on Monday March 14, 2005 @02:47PM (#11935548) Homepage Journal
    Yeah, I'll get right on that Timothy. Removing IE is so easy on Windows.... Not like it's built into the OS or anything.
  • Bogus Headline (Score:5, Informative)

    by karmatic ( 776420 ) on Monday March 14, 2005 @02:47PM (#11935554)
    The spyware installs itself using Java. It's not browser-specific; you can infect IE using Mozilla, Opera, IE, etc.

    There _is_ a dialog box, since the applet is unsigned. I tried signing it with my certificate; it installed itself without prompting. I believe it uses some sort of JRE exploit.
  • by WormholeFiend ( 674934 ) on Monday March 14, 2005 @02:48PM (#11935562)
    switching away from IE does not give adequate projection

    What do I need to be able to project my fears of infection adequately?
  • Misleading title (Score:5, Insightful)

    by kevin_conaway ( 585204 ) on Monday March 14, 2005 @02:48PM (#11935563) Homepage
    The article title/summary focuses more on how IE is to blame rather than the real root of the problem, which appears to be Java. I realize this is Slashdot and its Microsoft, but come on.
    • by Allicorn ( 175921 ) on Monday March 14, 2005 @03:46PM (#11936310) Homepage
      Firefox isn't to blame here, its presented a very large, very clear, very threatening warning message.

      Java isn't to blame here, its honored the unrestricted access permission given to the applet by the user.

      IE isn't even to blame here (!), its just a target. Once the applet is running without restrictions, it can do anything any other executable could do.

      This "exploit" could be delivered via some other JavaPlugin-enabled browser and modify any other peice of software installed on your box.

      The blame here, at least in the case of the original article on Vital Security would appear to be the author experiencing a profound "curiosity killed the cat" moment.
  • In other news (Score:3, Insightful)

    by KingKire64 ( 321470 ) on Monday March 14, 2005 @02:48PM (#11935570) Homepage Journal
    If you leave the house you will get sick. The is holes in everything. The added value of open source is the ability to patch the system quickly. If Linux had 70% of the desktop market share you would see more viruses for it. But they hole they exploit would be fixed quicker. The question really becomes getting ppl to update thier machines. That really is more fo the problem. Im sure there are plenty of unpatched systems out there spreading nimda.
  • Not just browsers. (Score:5, Informative)

    by meisenst ( 104896 ) on Monday March 14, 2005 @02:48PM (#11935573) Homepage
    It's important to identify that if this is not a browser thing, but a Sun JRE thing, any Java-enabled program that can come in contact with the installer applet could potentially infect your system.
  • by tehshen ( 794722 ) <tehshen@gmail.com> on Monday March 14, 2005 @02:49PM (#11935588)
    IE can already be infected by plugins and downloads from other browsers. My sister (whom I have confined to Firefox) likes to play those goddamn Neopets games, which require Shockwave. After installing it, the Yahoo! toolbar had managed to place itself into IE somehow, even when IE hadn't been used for months.
  • by cy_a253 ( 713262 ) on Monday March 14, 2005 @02:50PM (#11935594)
    from the if-you-must-run-windows-remove-ie dept.

    Really? The microsoft website oftens blocks browsers other than IE from downloading updates and whatnot.

    You CAN'T just remove IE. You need it. Just try to update office on firefox for example:

    http://office.microsoft.com/en-us/officeupdate/def ault.aspx [microsoft.com]
  • by Deep Fried Geekboy ( 807607 ) on Monday March 14, 2005 @02:50PM (#11935597)
    1. You can't win
    2. You can't break even
    3. You can't get out of the game
    4. No matter how hard you shake it, the last drop always rolls down your pant leg.
  • What? (Score:3, Interesting)

    by PhreakOfTime ( 588141 ) on Monday March 14, 2005 @02:52PM (#11935630) Homepage

    So by using a browser that this exploit is not aimed at will infect part of the operating system your trying to get away from because everything is so integrated with no end user control.

    How is this bad for firefox? If anything its a big black eye for MS and integrating IE into the OS.

  • by bersl2 ( 689221 ) on Monday March 14, 2005 @02:52PM (#11935631) Journal
    By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer.... VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

    So, the attack happens through Sun's JVM, affects IE, and consequently has nothing to do with Firefox, which was inserted into the article for maximum troll capability.
    • No, because the attack happens when browsing with firefox, or in fact anything using Sun's JVM, but firefox is the only popular alternative. So even if you're running firefox for your pr0n surfing and only using IE for trusted sites like your bank that require it, you're vulnerable. Which is newsworthy.
  • Java Exploit (Score:3, Insightful)

    by miffo.swe ( 547642 ) <daniel...hedblom@@@gmail...com> on Monday March 14, 2005 @02:59PM (#11935726) Homepage Journal
    To me this sounds like a Java exploit and not something you can pin on either IE, Firefox or any other browser. It would be pretty lame to demand that Firefox should protect IE from a Java exploit, yes?
    • by Anonymous Coward on Monday March 14, 2005 @03:17PM (#11935929)
      There are two types of Java applets: signed and unsigned. Unsigned applets run in a sandbox inside your Web browser. A Java exploit would be an unsigned applet that could "get out" and do something malicious. This doesn't seem to be an unsigned applet.

      Signed applets don't run inside a sandbox. A signed applet can do anything that any other executable program can do; including formatting your disk or installing spyware. They are not any safer than programs written in C or assembly language.

      --Steve
  • by Hyksos ( 595814 ) on Monday March 14, 2005 @02:59PM (#11935731)
    I know there's been a fair share of MS-bashing already but I just can't resist... It's pretty funny that IE is so insecure that its security holes exist in other programs :)
  • by bob670 ( 645306 ) on Monday March 14, 2005 @03:01PM (#11935745)
    but this has a lot more to do with bad surfing and usage habits than IE at this point. If you haven't learned not to click on every damn pop up window, click yes on every dialog box and follow links to sites riddled with porn and warez ads then you get what you deserve. While I tend to use Mac OS X for most everything now, I have yet to get hit with spyware or a virus the entire time I have used 98Se/2000/XP. I got one virus on Win 95 and it served as a wake up call to watch what I was doing and think before I clicked yes. Yes, MS is responsible for some of this, and I am not trying to place blame on victims, but take some responsibility for your computer or put it back in the box and return it to Dull or Worst Buy.

  • Trend Micro (Score:3, Informative)

    by mazevedo ( 117804 ) on Monday March 14, 2005 @03:01PM (#11935748)
    When I tried to open the page he shows as the source of infection, my TrendMicro Antivirus Software automaticaly detected it and trashed it.

    What scares me most, is that FF didn't ask to download the file, it just downloaded the JAR into the cache folder.
  • Non-issue (Score:3, Insightful)

    by Nemi ( 627009 ) on Monday March 14, 2005 @03:16PM (#11935925)
    This is infecting the machine using a signed applet. Hello? I can do anything I want to your pc if you allow a signed applet to run. This not news. I can install a trojan, key logger, back door, whatever. Infecting IE is the least of someones problems if they allow signed applets from untrusted sources to run.
  • by GCP ( 122438 ) on Monday March 14, 2005 @03:21PM (#11935994)
    Ironic that Java, famous for its sandbox, seems to be the door through which this intruder enters.

    I keep wondering if it wouldn't be better to have something like VMWare a standard part of a consumer OS. You would intantiate a VMWare-type virtual machine, preloaded with your Web browser, email client, etc., for all external communications. You would leave your "real machine" with no Net connection, but use it for other tasks that didn't need a live Net connection. Attacks from the outside would have no way to damage anything other than a virtual machine. If it got screwed up or infected, even by your kids playing with it and saying "Yes" to download offers, you'd just delete it and instantiate a new one.

    You'd be able to reach from the real machine into one of the VMs and retrieve a file that you were satisfied was safe, but there would be no way for a VM to export (VMWare is like this). There would be occasions when fetching an infected file would infect your real machine, but the overall incidence of external damage should be significantly reduced by this approach and recovery from screwups would be quick and easy (at a cost of performance for activities done from a VM).

    It's just a thought, but it seems as though this would just be an extension of the Unix notion of having root power but doing most of your work from a non-root account just to be safe.

    • Ironic that Java, famous for its sandbox, seems to be the door through which this intruder enters.

      Ah I was waiting for something like this!

      The sandbox works just fine, thanks.

      If you click "Yes" to the question: "This applet wants to access the network and your local disks. Are you sure you want to let it do this?" then, you are in trouble, because you just answered the question "Do you want to give up all security provided by the Java sandbox by running this applet that is not even signed correctly"

  • As other people have noted, you still have to say "yes, bone me". But people don't expect a Java applet (since it's normally firewalled) to be dangerous, so they're more likely to say "yes".

    If allowing an unrestricted Java applet to run is just as dangerous as installing and running an application, then the dialog box should reflect that. If Firefox is going to make you manually approve sites that you're going to allow XPI installs from, and *then* run a countdown in the warning dialog, they need to be at least as thorough about any other operation that takes you outside the sandbox.
  • by SnprBoB86 ( 576143 ) on Monday March 14, 2005 @03:25PM (#11936040) Homepage
    I'm confused why this is considered an IE vulnerability? And I am even more confused as to why people pin this on Java.

    If a user downloads an untrusted applet and grants it unrestricted security access, EVERY SINGLE THING ON YOUR COMPUTER IS VULNERABLE. Just because this particular exploit attacks IE, doens't mean that the exact same applet couldn't be altered to infect Firefox of even something completely different like Adobe Photoshop.
  • Some FUD here? (Score:3, Interesting)

    by billsf ( 34378 ) <billsf@cuba.calyx . n l> on Monday March 14, 2005 @03:40PM (#11936240) Homepage Journal
    It looks like an exploit I happened to discover only about two and a half weeks ago while running Windows XP-sp2-blabla under emulation. The recconisable part is being able to get 'spyware' (in the test, just a dummy cookie) through Firefox and into IE. A few people were told this and repeated it. It should be made VERY clear that Sun Java is NOT needed (MS has every reason to FUD Sun) and its not Mozilla at fault, but the fact that IE cannot yet be 'de-installed'. The advised solution is for _someone_ to develop a full de-installer for IE. Nobody I know gives a flying f* for MS, but getting a practical de-installer out for IE is the slap-in-the-face MS has coming!

    In the meantime watch out for FUD. MS will say Sun and Mozilla are bad and IE is good. You never say in business: "I told you so", but MS will. WATCH
    OUT! As usual there is a spin on this that seems to favour Microsoft. Don't buy it.

    There are some 'unfixable' bugs in all Windows and MS products due to the "I want to be different factor". Being able to completely remove IE (use Firefox, Opera, etc.) would go a long way in reducing the threat. Removing "Media Player" (use mplayer) would help a little more. The real truth however is that Windows is flawed by design and can never be fixed in an acceptable way.

    If you are unfortunate enough to be using Windows, please look at the track record, including all the lies you've been told and make an informed decision. Get Solaris 10 if you wish, I'll stick with FreeBSD. Linux has a range of distros that range from 'true hardcore' to 'clickity-click' and even have a dual boot. Sooner or later, you are going to have to make the transition. You decide when.

  • by WhiteWolf666 ( 145211 ) <[sherwin] [at] [amiran.us]> on Monday March 14, 2005 @03:43PM (#11936278) Homepage Journal
    Seriously slashdotters. . . .

    At some point, the user must take some responsiblity for their own security.

    System doing something unintended, without user notification or permission? Security exploit.

    System doign something unitended, after user notificition and approval? Idiot exploit.

    The ONLY way to stop idiots from being exploited to take the permission/aprroval step out of their hands, and give it to someone else.

    Either the sys-admin, or the OS manufacturer.

    The sys-admin route is already possible. We don't need anything else for that. These boxes are secure, but a giantic pain to work with, depending upon what you users needs/wants are.

    The OS manufactuer route. This is the route Microsoft would love to push us all.

    Dump Java. It's insecure. User our New(TM) Palladium(TM) Super-Secure Trust-In-Our-Magic-Decision-Making Signed Certificate, only MS(TM) software ActiveSecureX.

    The only way to prevent (idiot) exploits such as this one, is to prevent any 'unapproved' application installs.

    Ask for that, and you're asking for Trusted Computing(TM).

    And I'll bet ten grand that someone will figure out how to exploit THAT, and then you'll have an pwned box that is unfixable.

    This is Microsoft. Even though your users make DAMN STUPID decisions on what to install (Press Yes to Install MySpware Super-Happy Plugin!), Microsoft has proven itself to be just as, if not far more vulnerable.
  • this is pure fud (Score:3, Insightful)

    by taso ( 31477 ) on Monday March 14, 2005 @04:07PM (#11936564)
    Linux is vulnerable to the following exploit. If a user unwittingly gives the root password, his drive will be erased.
    #!/bin/sh
    echo Kindly give the root password at the next prompt
    su -c rm -rf /
  • by OhHellWithIt ( 756826 ) * on Monday March 14, 2005 @04:09PM (#11936587) Journal
    The author brushes aside "the social engineering aspects of the install", but the screen shots don't show anything other than the standard dialog that is triggered when Java encounters an applet that seeks to use privileged methods. This is hardly social engineering!

    It's been a long time since I worked with Java code, but I recall that once the user tells Java he "trusts" the code, (signed or unsigned), he opens himself up to a number of risks, including accessing the local filesystem and making network connections to hosts other than the host from which the applet was downloaded. This would, of course, include HTTP calls, probably using the installed default browser. I don't know about executing local programs.

    So, while this may have been an exploitation of MSIE, the fact remains that it would never have occurred had the user not agreed to trust the applet. This is why it's important for developers and sites to sign their code, but more importantly, it shows the importance of embedding into end-users' brains: "Never, never, never click 'yes' when the application tells you the code is untrusted."

  • WTF? (Score:4, Insightful)

    by stinky wizzleteats ( 552063 ) on Monday March 14, 2005 @04:17PM (#11936694) Homepage Journal
    So you are telling me that someone found a way to get into a system with java, and - once there, found that it was actually more effective to try to break IE than the browser actually being used? Doesn't that sort of blow the popularity vs. intrinsic insecurity argument out of the water? I mean, the user is running firefox, right? The argument of what they are likely to use (and therefore be affected by) has pretty much been resolved at that point.

    This sounds like a FUD factory somewhere is trying to come up with vulnerabilities against Firefox. Interesting that the best they can come up with so far is an exploit of IE. "Hey, wait, guys, we can make this one run with another browser! Let's run with that!"
  • by rudy_wayne ( 414635 ) on Monday March 14, 2005 @04:20PM (#11936714)
    The Giant DUH! Award goes to VitalSecurity.org, quite possibly the dumbest security company ever.

    At the end of his blog, the author says that the purpose of his article is NOT to point out the social-engineering aspects of this exploit, but to point out that "most spyware installs occur when someone clicks "yes" to something they shouldn't have."

    DUH!!!! What a total maroon.

    Let's review. The user is presented with a dialog box that warns them, 3 times, that this thing can't be trusted, but they click 'Yes' anyway.

    This is not a Firefox exploit. It is not an IE or Java exploit. It is a USER STUPIDITY exploit.

  • McAfee VirusScan (Score:4, Informative)

    by brettlbecker ( 596407 ) on Monday March 14, 2005 @05:50PM (#11937835) Homepage
    When I visited http://www.lyricspy.com/ (this site listed as being the origin in the VitalSecurity story) I immediately receive a pop-up warning from McAfee 8.0 that the file "javainstaller.jar" is a Trojan, and an "exploit". The installer window never appears at all.

    Additionally, Firefox automatically blocks the installation with its pop-up blocker, so it appears that, with my settings (which are not terribly restrictive), I have a double layer of security preventing me from even getting to the point of clicking "yes" to the installer.

    Not too big a deal, this, but it is good to know that following basic security procedures like keeping virus definitions up to date and using the pop-up blocker correctly can make it a lot easier to avoid the kind of crap this story deals with. I do realize, however, that a great many people do not follow these guidelines, and that that is the point of the story.

    But I would like to point out that it seems that I am not quite as vulnerable as this story makes it appear that I will be (when running Windows). And, of course, if I flip over to my Fedora Core 3 partition, this problem goes away entirely.

    And yes, I am using the Sun Java Runtime.

    B

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...