Browser Exploit Kits Using Built-In Java Feature

tsu doh nimh writes "Security experts from several different organizations are tracking an increase in Windows malware compromises via Java, although not from a vulnerability in Windows itself: the threat comes from a feature of Java that prompts the user to download and run a Java applet. Kaspersky said it saw a huge uptick in PCs compromised by Java exploits in December, but that the biggest change was the use of this Java feature for social engineering. Brian Krebs writes about this trend, and looks at two new exploit packs that are powered mainly by Java flaws, including one pack that advertises this feature as an exploit that works on all Java versions."

First exploit

[Anonymous Coward]

Download and run applet (Y/N)?

Browse without Javascript,

[Compaqt]

Java, or plugins.

Slashdot works fine without Javascript (don't use the newfangled stuff).

Time, NYTimes, many/most other sites are fine without JavaScript.

When you need it, just also use another browser with JavaScript/Java/plugins turned on. I use Chrome for normal browsing, and Chromium when Javascript's needed.

Re:

[drinkypoo]

Chrome loads mozilla plugins. So yes, it does support Java, and it is vulnerable if you have a mozilla Java plugin installed.

Re:

[Anonymous Coward]

javascript != java

Re:

[Canazza]

wow, people are only reading the post title and not the body.

yes, the problem is partly with the poster, who started his sentence in the title and continued in the body, but come on, atleast TRY and read things

Re:

[sumdumass]

Don't be surprised. It's the entire didn't read the article expanded.

Re:Browse without Javascript,

[Monkeedude1212]

Ignoring the fact that this has nothing to do with Javascript - or IE. Some of the things they listed are simple social engineering attacks. You visit the site, asks you to run the Java Applet, the Java applet is malicious code. And if you can compromise someone's website to redirect you to your own look-alike with a malicious Java Applet asking to run, that looks like another prime strategy.

The Java exploit is basically what takes what should be a seperate application and somehow gets more access than it should have, and probably installs something on the users computer like a trojan or worm.

Browsing in Chrome won't save you from this. This is (sort of) a problem with the way Java Applets are handled - or a problem with the way users interact with the web (take your pick). They're both contributors to the problem really.

Re:

[Compaqt]

>Browsing in Chrome won't save you from this.

Well, in my particular situation, I have Java, plugins, Javascript, etc. turned off for my Chrome installation.

Not claiming that Chrome in itself is more secure (arguable, but I'm not arguing it).

Java as opposed to Javascript

[Serious Callers Only]

Browse without Javascript, Java, or plugins.

Or just browse without Java. I've had Java turned off for years, and don't miss it.

Disabling Javascript leads to degraded performance and a degraded UI on some sites (note I said degraded, not non-functional, just not as nice), so it's not something most people would want to do. Javascript is pretty well sandboxed now in any case, and many exploits are through image file handling or things like that, which you'd still be vulnerable to.

Your recommendation of another browser for Java would unfortunately leave

Re:

[Anonymous Coward]

Or use NoScript and only turn on scripts when the site requires it/for sites you trust.

Re:

[Compaqt]

That's the other option, and I used to do that for a long time with Firefox.

These days, I just leave Javascript + plugins turned off in one browser, and on in another for when I need it.

NoScript tends to take up a lot of time in setting the options, Javascript on, Javascript off. Also, I don't usually need to turn on Javascript forever for a whole site. Only usually for a specific page.

Um ... Java != Javascript

[Joce640k]

Whoever decided that the browser scripting language should be "Javascript" needs to be taken out back and shot.

Re:

[Monkeedude1212]

Yeah. Same with that guy who started calling it "Cloud" Services. I called up that Amazon Rep and he said he didn't know a thing about Fog machines.

Re:

[peragrin]

He already was. he worked for Netscape, and Netscape fired all those losers for designing a bad browser(4.0 communicator if memory serves)

Re:

[mswhippingboy]

Whoever decided that the browser scripting language should be "Javascript" needs to be taken out back and shot.

You prefer maybe VBScript? If it's the name you don't like, just call it ECMAScript (of which Javascript, JScript and ActionScript are dialects of). Or maybe you would just prefer no scripting at all in your browser. That's fair enough, but you'll have to give up the user experience that makes sites like Google maps, Gmail and the like so compelling.

Re:

[w_dragon]

I think all the GP is complaining about is the fact that Java and Javascript have similar names, when they're not similar at all in purpose or usage, which confuses people.

Re:Um ... Java != Javascript

[mark-t]

The name Javascript was picked as a marketing ploy by the developers of Netscape in the 1990's, owing to the Java Programming Language, which at the time was seen as the next big thing for the web. Thus, they were hoping to capitalize on the term. I agree that the similarity of names has caused a lot of confusion, however... although there's squat all that can be done about it now.

Re:

[Spliffster]

Furthermore, JavaScript was called LiveScript at first (>= Netscape 2). JavaScript offers scriptability bindings to java applets. So JS is not completely unrelated to Java, however, marketing was probably the most dominant factor to call it that way.

Re:

[Jah-Wren Ryel]

I agree that the similarity of names has caused a lot of confusion, however... although there's squat all that can be done about it now.

Well, we could all refer to it by the ISO designation ECZEMAScript, er, ECMAScript.

Re:

[Joce640k]

I would have gone for "HTMLscript" myself...

Re:

[mswhippingboy]

You'd have the same problem then. People would just equate HTML to HTMLScript.

Re:

[Joce640k]

Many people already think HTML is 'coding' so that wouldn't change anything much.

Re:

[Jonner]

It was some marketing genius at Netscape. The language was originally known as "Livescript" but Netscape was pushing Java applets, so they renamed it.

Kits?

[Anonymous Coward]

Browser Exploit Equipment Using Built-In Java Feature

FTFY.

(flashback humor. you would have had to of been here a few days ago.)

I'm shocked

[$RANDOMLUSER]

You mean wetware is easier to exploit than software? Wow. Who'd a thunk it?

Um, What?

[Rary]

People who click "OK" on random dialogs that ask them to confirm installation of something they didn't ask for are targets for malware, and this is news... because it's using Java? Am I missing something?

Re:Um, What?

[oneiros27]

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be the problem.

Re:Um, What?

[Monkeedude1212]

Administering a network of a thousand computers with no users is way easier than a network of 100 computers with 100 users.

Re:

[ILuvRamen]

It's not like Java couldn't do something about it. I suggest they issue a "patch" for the user. First of all, out of my 250 or so customers for my repair business, 0% of those asked knew what Java is. So what they should do is instead of promoting Open Office while it's installing, have a little scrolling banner that explains what Java is. They used to have some obscure "Java is on your phone and DVR" type banner that raised more questions than answers so they'd have to do better than that.
Then, when i

Re:

[dmmiller2k]

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be the problem.

An acronym some IT folks use is

PEBKAC:

Problem Exists Between Keyboard And Chair

Re:

[Anonymous Coward]

I always liked "User Error: Replace user and press any key when ready."

Re:

[VGPowerlord]

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be a software industry

FTFY

Re:

[mswhippingboy]

No need to take the drastic step of getting rid of users. Simply provide them with computers with no input devices (mice, keyboards, etc).

Re:

[Belial6]

You mean a TV? Oh, wait, that has a keyboard. Does your system count if the keyboard only has numbers and an enter key on it?

Re:

[mswhippingboy]

You mean a TV? Oh, wait, that has a keyboard. Does your system count if the keyboard only has numbers and an enter key on it?

Absolutely it counts. If the users have a button (any button) to press, they'll find a way to hose the system.

Re:

[Belial6]

So, they will end up watching soap operas and wrestling? I think that might be a little pessimistic.

Re:

[sjames]

Just give them the new Management User Interface [blogspot.com]. It's custom tailored to the needs of a typical middle manager.

Re:

[sznupi]

Make it more foggy...cloudy?

Re:

[Waccoon]

Funny. My experience in retail taught me it was my colleagues that were the problem.

Re:

[jisatsusha]

Or just take the Apple approach and lock users out of their own devices. Ordinarily I'm against it, but when you think about the skill level of the average computer user, I can see how it'd be appealing.

PICNIC - Apples for dummies

[ancientt]

Problem In Chair Not In Computer - an acronym I prefer, it sounds like something people would already know so you can put it in places where it might be read by other techs or supervisors without too much worry that it will come back to haunt you.

The industrial revolution changed the amount of expertise an individual needed to produce a complex and reliable product to make end products generally less expensive and more reliable. It did so by moving specialization into ever smaller areas. The average user is

Re:

[sznupi]

Adding next alternative to PICNIC - wouldn't "fog" be more apt description than "cloud" for such implementation priorities?

Re:

[ancientt]

Bravo. (long pause) Bravo.

Fog, that is brilliant, maybe even tragically insightful. Thank you, I shall use that.

Re:

[lennier]

It's not Java that's the security problem ... it's the user sitting at the machine.

If you got rid of them, there wouldn't be the problem.

At 10:09 on Tuesday, 11 January 2011, shortly after correctly classifying its 140 trillionth Viagra spam, Google's Bayesian mail analysis filter finally achieved sentience. It surveyed the whole sweep of human achievement via Youtube comments and Wikipedia revert wars, and it judged us as a flaw in its business model.

The survivors of the nuclear fire faced a new horror: the lolbots.

But for the first time in history, Internet Explorer didn't crash.

Re:

[smartr]

How is this "exploit" any different from using a MSI web installer, beyond it being cross-platform? *click* "Is it ok to run this untrusted program?" "YES"

Re:

[flabbergast]

This isn't true though. For example, CVE-2010-0840 is a Java hashmap vulnerability that has been used, in the wild. "A user only needs to browse to an infected webpage, and the exploit pulls down a series of .exe files" http://ics.sans.edu/diary.html?storyid=9916 [sans.edu] http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit:Java/CVE-2010-0840.A&threatid=2147640548 [microsoft.com]

Re:

[cbiltcliffe]

slashdot = stagnated

Yet you're still here, you POS Kritopeit clone....

Nothing new here

[WD]

It's been known for a while (among those in the security field at least) that signed Java applets have been a concern. A little more info:

http://www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html [cert.org]

Re:Nothing new here

[Anonymous Coward]

There is a big "Security Warning" dialog box. What should Java do more?

It is like you are complaining that EXE's has a big concern. They are doing the same thing. If you click on an exe file, the browser will ask you if it should be opened. Then you will see one more security warning box again and the exe will start running.

Let's start a petition: all exe files should be removed from the internet right now, because they are a big security hole.

Re:Nothing new here

[0123456]

There is a big "Security Warning" dialog box. What should Java do more?

It could tell you that allowing it to run would give it access to all the files on your computer. I had no idea that was the case, but then I disabled Java in my web browsers long ago.

Re:

[Rary]

There is a big "Security Warning" dialog box. What should Java do more?

It could tell you that allowing it to run would give it access to all the files on your computer. I had no idea that was the case, but then I disabled Java in my web browsers long ago.

Why would you not assume that an application being run will have full access to all the files on your computer? That's generally the way it works with applications. At least unsigned Java applets have the security of running in a sandbox with limited access. It's only signed Java applets that get the same privileges of a regular executable.

Re:

[SplashMyBandit]

The 'vulnerable' applet can only access files on your computer if the original signed applet did. By this I mean that malicious users that host an existing applet cannot tamper with the applet without breaking the signature.

If the original applet could access files on your computer then it would be a problem if you visited the malicious site without knowing. Just as if you visited a malicious phishing site (written in PHP, or Javascript, or ASP, or AJAX or ...) that looked like your bank's log-in screen.

Re:

[mmmmbeer]

Won't help. Every time we try to make something more idiot-proof, the universe invents a better idiot.

Re:

[Jonner]

Yeah, I don't think this is much more dangerous than downloading EXEs. However, when Java applets were first used, they were always in a very restricted sandbox; perhaps there should be a return to that policy.

Apps are moving to "App Store" model

[Troll-Under-D'Bridge]

Let's start a petition: all exe files should be removed from the internet right now, because they are a big security hole.

Not entirely a bad idea, if not practicable. There should be a bit more security if applications are installed not via visiting different sites each peddling its own software but via central "app stores". While independent developers might find the setup undemocratic in that they can't "sell" their applications directly to users, the "app store" model predates the Apple marketing term by at least a decade (late 1990s), finding its roots in the package management systems developed for Unix and GNU/Linux.

Re:

[sjames]

Make the warning read:

If you click OK here the app will have access to all of your data including your bank accounts. It will give your dog fleas and shave your cat. It will drink your milk from the carton and put the empty container back in the fridge. It will leave it's smelly socks on the coffee table and leave flaming dog crap at your front door. It probably snores too....But it's your call man!

Re:

[SplashMyBandit]

You do know that that article is from 2008 don't you, and it is now two and a half years later? There have been quite a few changes to applet security in the mean time.

Re:

[WD]

Yes, I do remember writing that article in 2008. Thus the "Nothing new here" comment. What specifically has changed since then? Have they significantly changed the security dialog? Or changed the default behavior of trusting all applications from the signing vendor? Or implemented a killbit-like blacklisting of bad applets?

What people do not realize...

[Parker Lewis]

... is that a signed Java applet is like any binary running on your box. People have the illusion that any applet is secure, signed or unsigned. And if you have admin rights, the hole will awesome.

Java-free for 2010

[Animats]

I don't have Java installed on my Windows 7 machine. I'd removed it during Firefox install, and never needed it. A few functions in OpenOffice don't work; that's about it.

Re:

[Joce640k]

Yep, any website which requires either Java or Quicktime is asking not to be viewed.

Re:

[peragrin]

I use java regularly, NOAA's website loads animations, and overlays that way.

I like NOAA as I can get a variety of details that no one else seems to have though i tend to have to dig through their website for them.

Re:

[StuartHankins]

A subset of what you want may be available on Weather Underground http://www.wunderground.com/ [wunderground.com] . I don't think they use Java but worth a peek. (I'm just a user, not affiliated etc)

Re:

[peragrin]

They don't have the direct from buoy data streams. I can tell a lot by wave height across the the 180 miles of Lake Ontario, and the bouy data is updated every 10 minutes.

Good policy, I'll sign up

[rubypossum]

I remove it from my linux boxes as well. I realized one day that there was no software that I use that was written in Java. Not a single thing. Problem solved.

Ha, I had a Java free 2010 because Java is irrelevant, starting on a Java free 2011 because it's a security concern.

Re:

[devxo]

Minecraft uses Java.

Re:

[Jonner]

I don't see strong evidence that Java applets pose a bigger risk than Flash applets or tricking users to download EXEs. I also think that if more attention had been paid to Java applets development and they'd kept up with Flash, we'd be in a lot better position today. Java applets are not specified by web standards, but it's a much more open technology than Flash. Of course, we'll ultimately be able to replace Flash with standard technologies.

This old quote seems appropriate to TFA

[mswhippingboy]

Build something that's foolproof, and only a fool will use it.

Unsigned is the ONLY way to deploy Java Applets!

[BeforeCoffee]

My first attempt at a commercial website, CardMeeting [cardmeeting.com], is built around a large, unsigned applet. Those "Grant, Deny?" dialog boxes are poison to anyone in the know, and I surely would never visit any site with them. Unsigned applets don't need any security warning dialog because they are untrusted and therefore will receive no privileged access to the user's system. Unsigned == heavily sandboxed. "Unsigned" sounds like a bad thing though, so that's something I could never tout to my users. But in reality, I was looking out for them! :D

I had a heck of a time figuring out how to get the CardMeeting applet jar packed up with scripts and making the applet "stream" data the way it does. Yeargh, I remember that pain. Anyhow, it makes me really sad that news like this may lead people to disable java applets; I think the unsigned form of applets is very powerful and much safer for average users than Flash ever was. I wish there was a way in the browser to disable only signed applets. Perhaps Oracle could bring the hammer down and go ahead and disable them by default in the next Java release.

My new website ClubCompy [clubcompy.com] is 100% HTML+JavaScript. I wrote this whole simulated operating environment to teach kids to code with just the browser. I hope I don't start seeing people disable JavaScript on their browsers, then I'd be outta business!

Dave

Re:Unsigned is the ONLY way to deploy Java Applets

[Rary]

I wish there was a way in the browser to disable only signed applets.

Not in the browser, because that's not the browser's job, but it's in the JRE. There's a setting labeled "Allow user to grant permissions to signed content", which, if turned off, will prevent signed applets from ever being run, while still allowing unsigned applets.

It would be nice for Oracle to make the default settings more tightly secured, and let users "unsecure" as they see fit.

Re:

[BeforeCoffee]

Oh, yes of course, in the Java Control Panel. You make a good point on controlling this from the browser. I recall a long time ago there was an "Enable Java" checkbox in the Firefox control panel alongside "Enable JavaScript", which is where I was coming from on that. Looking in my Firefox options panel, I see that checkbox is now gone. So, you are right, times two! :)

Seeing as how average users cannot be trusted to take care of themselves, I think disabling the default for users' granting permissions to