116 replies to this topic

[aad]

As a newbie to this forum but not a newbie to security issues, I have found this whole topic/theory most interesting. It seems to me that the whole problem of New and Emerging Malware/spyware/worms/viruses/adware and new and innovative ways(and sometimes not so new and innovative ways) to trick users into executing these and infecting their computers is related to the larger issue of using Windows XP. Now, I realize that many people have been raised on Windows XP and it is hard to let go since people are familiar with and comfortable with Windows XP programs. Now, when I speak of using Linux as an alternative, I am not saying that Linux is 100% safe(there is no such thing nor will their ever be such a thing as a 100% safe and perfect operating sytem), but on the whole it does appear a lot safer against the vulnerabilities and exploits that increasingly affect Windows Xp systems. So it would appear that perhaps a compromise may be in order. You can use Linux Live CD's to access the Internet and check your E-Mail. You don't have to uninstall or give up Windows XP and can still use it to run your commonplace programs. You can also create a dual boot WinXp and Linux system and do the same. In fact you can even use programs like CrossWeaver or Wine to run some of your common WindowsXp programs in Linux. Using Linux to access the Internet and check E-Mail means that you don't have to use a truckload of protection programs to defend your computer. How does this relate to the topic of this new Sun Java Exploit?? Well, using Xandros(Linux) and Mozilla FireFox, I accessed the hostile link. Yes, the SunJava Popup came up and yes I gave permission, but no nothing whatsoever happened. No duh! since there was no Internet Explorer to infect. However, I also read that someone else tried the same thing on a computer with Fedora, running Internet Explorer using Wine and all binary permissions and the exploit still failed. This is not to flame or make light of a serious situation, but IMHO, I believe that people really need to focus less on patchwork and more on prevention. It's like that saying: "An ounce of prevention is worth a pound of cure." Peace

Edited by aad, 17 March 2005 - 01:45 AM.

[rob_]

To wit: You MUST click YES to continue.

To wit, no one has EVER claimed otherwise! Just for the record however, you can ALSO click ALWAYS. So, two out of three buttons on a vague (to an uninformed user) dialog allow the applet to download and run an arbitrary Windows executable.

Here are my issues with the current Firefox/SunJava approach to applet security:

1) If their security approach must entail popping up a dialog, at least have it give a clear indication of what permissions an applet requires. "Trust" is too vague, too broad, and too uninformative a euphemism for making a rational decision. In fact, so is "all" (which you see in other browsers). List them explicitly. Perhaps one is willing to allow it to read but not write a particular file, or write but not execute it. Please give us finer grained information, and control.

2) Treat signed and unsigned applets with equal contempt. Try this applet on Sun's site. It crashes immediately with no dialog whatsoever (which, in my opinion is a good thing). We are not subjected to a dialog box in this case, apparently because the offending applet is unsigned. Moreover, as we have seen, anybody can get a signing certificate. So, why give a phisher with a certificate an opportunity to perform social engineering?

3) It all boils down to the lack of an ACL or whitelist, and the lack of a global (to Firefox) option to disable certain Java permissions. Either of these would be preferable to disabling Java completely.

Finally, to see how annoying these "beg for trust" dialogs can potentially become, try browsing for a day with IE, with its security permissions for ActiveX, Scripting, .Net Framework, and Custom Java all set to "prompt". At up to a half dozen dialogs per page or refresh, I doubt you'll make it a whole day.

Thanks again, Efwis and Coyote, for bringing this handy social engineering enabling mechanism to light. Adios amigos.

[Blacksheep]

Hmm after perusing the various posts, rants, ruffled feathers concerning this novel new way to exploit unsuspecting netizens by using Sun Java I've come to several conclusions: 1. The purpose of this computer rape of course is to make money without regard for morals and ethics. 2. It's a good thing this exploit came to light regardless of who found what and the differing opinions because something will now be done about it. However, much credit is due Efwis and Coyote for initial discovery and hot pursuit. 3. It disturbs me that some still consider this Sun Java issue a browser issue. If a browser can prevent it that still does not make it a browser issue. That would be like saying an email delivered virus or trojan, attachment clicked by user, is an email client issue be it Outlook Express, Eudora or whatever. Of course an email client could prevent it by blocking attachments. 4. It further disturbs me that Firefox predominantly continues to be associated with this Sun Java issue when most if not all other browsers are equally capable of running this obscure java applet installer and boning the exploit riddled, OS integrated, IE yet again. Why is that? Is it because Firefox is a great browser, much more secure than IE, now the #1 browser choice of informed netizens, #2 browser on all the Internet? That is a disservice to Firefox and all the dedicated coders who made it possible.

[Zero]

2. It's a good thing this exploit came to light regardless of who found what and the differing opinions because something will now be done about it. However, much credit is due Efwis and Coyote for initial discovery and hot pursuit.

This is not an exploit! It presents a perfectly clear warning window. An exploit (which this clearly is not the case) would not present a dialog such as this, it would rather infect your computer maliciously without warning.

The image below shows just how obvious it is.



Do a search for "Integrated Search Technologies." This is the second link in google. That alone should raise some eye-brows.

"Authenticity can not be verified". You should realize that this may not be something you want to have installed onto your machine.

"Not Trusted" Exploits are NOT this user friendly.

"Has Expired" + "is not yet valid". This is a human stupidity error if they click yes.

Note the three yellow exclamation marks that just SCREAM danger.

If a user clicks yes, it is his or her own fault for being so blind to do so.

As I may quote a slashdot user: "What more does Sun Java need to do? Have hobgoblins attack you and bop you on the head with a mallet if you click yes?"

There is no possible way this is an exploit. It is doing what it is coded to do, it presents the user with a choice Yes or No, it doesent secretly install to your PC without warning.

[aad]

2. It's a good thing this exploit came to light regardless of who found what and the differing opinions because something will now be done about it. However, much credit is due Efwis and Coyote for initial discovery and hot pursuit.

This is not an exploit! It presents a perfectly clear warning window. An exploit (which this clearly is not the case) would not present a dialog such as this, it would rather infect your computer maliciously without warning.

The image below shows just how obvious it is.



Do a search for "Integrated Search Technologies." This is the second link in google. That alone should raise some eye-brows.

"Authenticity can not be verified". You should realize that this may not be something you want to have installed onto your machine.

"Not Trusted" Exploits are NOT this user friendly.

"Has Expired" + "is not yet valid". This is a human stupidity error if they click yes.

Note the three yellow exclamation marks that just SCREAM danger.

If a user clicks yes, it is his or her own fault for being so blind to do so.

As I may quote a slashdot user: "What more does Sun Java need to do? Have hobgoblins attack you and bop you on the head with a mallet if you click yes?"

There is no possible way this is an exploit. It is doing what it is coded to do, it presents the user with a choice Yes or No, it doesent secretly install to your PC without warning.

I gave SunJava permission while running Linux based Mozilla FireFox, "nothing" whatsoever happened and nothing will cause there is no MicroSoft explorer to infect. Whether it is an exploit or not it's execution is rendered useless in a Linux Environment. Yeah, so if you don't know what you are doing best to use Linux Mozilla Firfox. Then, you can blindly run and give Sun Java permission on such warnings and nothing will happen. In fact, I encourage you to do so just for laughs. Prove me wrong and show me that this works in Linux.

Edited by aad, 17 March 2005 - 04:01 PM.

[Zero]

Funny. I dont recall saying anything about Linux, however, I use Linux all the time, and im willing to bet more than you do. I have tried the exploit on Linux -- nothing happens. Doesent mean its an exploit. It shows a CLEAR DIALOG basically telling the user "If you click Yes, you are an idiot". I never said anything about Linux being affected. It does infect Internet Explorer, yes, but not before you click a YES OR NO DIALOG dismissing is from being an exploit.

[Blacksheep]

Many newbies are unaware of the consequences of clicking yes to a pop-up they don't fully understand and think it's necessary to view a webpage, do a download, etc.. This exploit exploits user ignorance by installing a flurry of unknown, undocumented crapware without explicit user permission.

[Galadriel]

Whether it works on Linux or not, has nothing to do with the subject and the thick of the matter.... Whether some call it an exploit or a bug, is not the thick of the matter either, and arguing and getting riled up over words just goes to show that the real purpose of this thread goes beyond some people's heads.

I kept myself away from this subject because, to be quite frank, I didn't feel I was informed enough. After seeing some of the side effects this "exploit" has had, I looked closer at it. This topic is a quite representative of today's general feel in most forums. On the one hand you have some excellent posts, that do their best to explain and extricate the most information they can on a subject and on the other hand, you have some general bickering on the words used by various posters....

The purpose of this discussion was to raise awareness of the so highly exploitable nature of the Windows Operating System. I think this was done here, and quite nicely too. IE being the cause of a lot of the trouble, but the main problem is with the way MS has rooted everything so deeply in the OS. IE is part of it, you can't remove it....without serious side effects.

So I too feel that thanks need to go out to all involved parties (Efwis, Coyote, Paperghost and Mike for his view on it too and for getting the word out).

[rob_]

@ ZERO

LOL Well, you will all be relieved for this is my final post on the subject. I'm not about to begin arguing with anybody, much less with Admins who call their own users "idiots"-- I mean, who normally visits this sort of forum except for those people who mistakenly, or due to some foible, click on the wrong button once in a blue moon. Please don't tell me that all of these folks were infected solely through purely automatic remote exploits. By your own logic, Firefox could safely support ActiveX by simply popping a yes or no dialog at every encounter. Why not just allow embedded binaries in web pages? A mere dialog for protection will suffice will it not? Or why bother whitelisting XPI installs? Apparently, you think Firefox is so secure with SunJava enabled, and, in your opinion "CLEAR" dialogs popping up everytime you visit a signed Java applet containing website, and this is not an annoyance to you, and you do not wish to have more control/info regarding those applets because it would be too inconvenient for the programmers to provide this functionality to mere "idiot" users. What an attitude for an admin of a support site! Bid you all farewell, and leave you some things to consider.

http://plugindoc.moz.../faqs/java.html

"On Windows, Mozilla can be used with Sun's Java Runtime Environment (JRE). It can not be used with the Microsoft Java VM"

https://bugzilla.moz...g.cgi?id=261031

"Additional Comment #3 From Doron Rosenberg (IBM) 2004-09-22 18:19 PST [reply] -------
I wouldn't call this a 1.0 blocker since disabling java is a advanced user thing."

https://bugzilla.moz...g.cgi?id=251793
https://bugzilla.moz...g.cgi?id=239223
https://bugzilla.moz...g.cgi?id=272452
https://bugzilla.moz...ug.cgi?id=98365
https://bugzilla.moz...g.cgi?id=264740
https://bugzilla.moz...g.cgi?id=266155
https://bugzilla.moz...g.cgi?id=266705
https://bugzilla.moz...g.cgi?id=266827
https://bugzilla.moz...g.cgi?id=271098
https://bugzilla.moz...g.cgi?id=271444

http://forum.java.su...601130&tstart=0
http://forum.java.su...threadID=524815

http://sunsolve.sun....ey=1-26-57708-1
http://sunsolve.sun....ey=1-26-57613-1
http://sunsolve.sun....ey=1-26-57591-1
http://sunsolve.sun....ey=1-26-57221-1

[Zero]

I stand by what I said. If a user fails to see that the applet they are about to click yes to is bad when it presens that much information, they shouldent be on the internet, and I'd have no pity if they hit yes. If you cant read an applet that displays that much information, then its an idiotic-error.

"A mere dialog for protection will suffice will it not?"

If it gives out enough information, giving a yes or no -- then yes it most likly will. If CWS et al presented a warning "Can we install blah blah blah YES/NO" rather then using exploits the internet would be a better place.

if you're telling me a dialog that displays a YES/NO option with a more details button that provides as much info as the one I posted above does is not good enough, your standards are too high.

[Zero]

Alright, done, demoted. Now as per your post: Get used to it. Internet users are stupid. You've been using it long enough to come to that conclusion. "This is getting rather vapid and sliding deeper into childishness, depsite Rob's best efforts." So why beat a dead horse -- Mike aint apologizing. "Realistically, i couldnt call the title "firefox/opera/netscape/netcaptor/everything else spyware infects IE" - that’s rather a mouthful." No but perhaps ALTERNATE BROWSERS is better suited.... but that’s my opinion. "Plus, seeing as the initial "discovery" of this was done whilst using firefox and seeing as that’s the browser i used to run the test, it seemed perfectly valid to call it that." Or was it a journalism trick to drive users to your site and create more of a buzz? That’s what it did (See slashdot) "Once a browser vendor has said its a browser issue, then its a browser issue - end of story. " No. if you read slashdot or any other news site, you'll see that’s simply not true. "The fact that it works on other browsers is irrelevant - if you’re specifically talking about Firefox, you have to admit that it works." Ill admit it works.... ONLY IF YOU CLICK YES. "And how many spyware installs are caused by just that? Its not good enough to simply say the "stupid end user gets what they deserve" when they click "yes" to an applet, even an untrusted / unsigned one." I refer you to my above text. Internet users are stupid (not all but a lot of them). Its a common fact. "Nowhere in the applet does it say anything about doing that" if the three giant exclamation marks didn’t catch you, or the other piece of text I highlighted in red, then perhaps it’s a lesson to the end-user. Granted, what they are doing is evil and wrong, when in doubt, do some research. "I like firefox as much as the next guy, but the simple fact is, this exploit works on Firefox, and now Mozilla are looking into it" You insist on calling it an exploit when it clearly is NOT. if the user has that much information and is given a choice YES or NO its simply not an exploit.

Edited by Zero, 18 March 2005 - 01:28 AM.

[Zero]

“Your insistence on saying this "isnt" an exploit is rather odd - you are basically saying that the whole history of social engineering / phreaking / phishing / confidence tricking cannot contain the word "exploit".

Im sure Kevin Mitnick would disagree with you on that one."

Kevin Mitnick would disagree? Sorry but me and some fellow IRCrs had a good laugh with that. I know what a hacker is, Ive read Richard Stallman head to toe. http://www.stallman....on-hacking.html Im not a fool with 'hacking'. I know about social engineering. I own Kevins 'Art of Deception', I've read about bank scams etc but that has little to do with the topic at hand.

"Theres more to life than slashdot, kid."

Funny you should say that. I suppose you don’t know how slashdot works. Let me elaborate. Users from around the world submit stories to slashdot linking to various news sites such as cnn (which is a very big news source fyi), news.com.com, zdnet, tomshardware, among other valuable news sites. It’s a collaboration of people from around the world. This is how I get new from many different sources, a very well put together site for 'news for nerds', kid.

Finally --

Its not an exploit, it never was an exploit, it may be an exploit in the future if they rid themselves of the applet, btu for now it remain not an exploit. Of course the install does work, if the user clicks yes, this makes it a collaboration of the user and the java applet, thus -> not an exploit.

EDIT: I see you never remarked on how some internet users can be idiotic. Do you agree or ignore it?

Edited by Zero, 18 March 2005 - 01:55 AM.

[Efwis]

Its not an exploit, it never was an exploit, it may be an exploit in the future if they rid themselves of the applet, btu for now it remain not an exploit.

I'm not wanting to get into any kind of discussion on this however I am curious as to what you define an exploit as?

exploit:Pronunciation: ik-'sploit, 'ek-"
Function: transitive verb
1 : to make productive use of : UTILIZE <exploiting your talents> <exploit your opponent's weakness>
2 : to make use of meanly or unjustly for one's own advantage <exploiting migrant farm workers>
- ex·ploit·able /-'sploi-t&-b&l/ adjective
- ex·ploit·er noun

definition supplied by Merriam-Webster Dictionary

As you can see I highlighted the key entry for this definition. it does not say anything about it needing to be authorized by the exploited person or not. Therefore, the conclusion is that this is an exploit IMHO.