|Spyware uses Firefox to infect IE|
| 10:36 pm on Mar 11, 2005 (gmt 0)|
|Christopher Boyd, a security researchers at Vitalsecurity.org, said the malware installer was capable of working on a range of browsers with native Java support. |
"The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there, including Firefox, Mozilla, Netscape and others. In the original test, only Opera and Netcaptor didn't fall for the install but Daniel Veditz, who is the head of Mozilla security, has since confirmed to me that this will also work in Opera and Netcaptor," he explained.
| 11:31 pm on Mar 11, 2005 (gmt 0)|
Un bleepin believable!
Why? To what end? Just because they could, I suppose.
The Internet just isn't fun anymore...
| 12:54 am on Mar 12, 2005 (gmt 0)|
The basic problem is that it is not IE which is insecure, it it Windows which is insecure. Spyware infects the operating system, not (just) the browser. IE, by its ubiquity and its integration with the operating system, is a powerful vector for attacking Windows, but malware can use Firefox, Opera, Outlook or any other web-enabled application to do the same thing.
Switching to Firefox helps a little because you make things a bit harder, but it is like putting a stronger padlock on a safe made out of chocolate. If you want truly better security, look at alternative operating systems, not just alternative browsers.
| 1:41 am on Mar 12, 2005 (gmt 0)|
I'll agree 100% that Windows is the problem and the target.
When MS set the system up right along with HTML email they did so without realizing how many sleaze bags crawl around out here. Now the cat is out of the bag, but it doesn't matter which OS is used.
If by some stroke of magic, OS-X or Linux would gain control of more than 50% of the market share the Internet would be a safer place....for all of 5 days.
The above mentioned "programmers/sleaze bags" would find more holes then could or would be fixed in a reasonable amount of time.
I've worked on several machines owned by people with 5 years + computing experience that needed at least 10 critical updates from MS. They had holes that should have been plugged a year or more ago. People are lazy and live hurried lives and doing updates and maintenance on their computers is NOT one of the top things on their list of things to do.
| 3:00 am on Mar 12, 2005 (gmt 0)|
| 5:44 am on Mar 12, 2005 (gmt 0)|
First time I have heard of Sun Java having such a serious problem, I thought they got it all fixed recently. In any case I always browse with Java off in both browsers.
The question is, does any major site still use Java?
We need to regress to the age of the web before Java and ActiveX...
| 9:09 am on Mar 12, 2005 (gmt 0)|
> Disable Java
or enable brain. Before executing the applet, Firefox shows a big yellow exclamation mark dialog telling the user that the applet comes from an untrusted source and that its certificate is invalid or expired.
And this is not at all specific to Firefox. It affects every browser that has the JRE's browser plugin installed and enabled.
| 9:55 am on Mar 12, 2005 (gmt 0)|
I read bother the article and the Blog entry that spawned the article, and I took this away from the whole situation:
Yes, it is a serious security issue, but for once, IE and MS aren't to blame. Neither is FF, or any other browser, for that matter.
JRE is the attack vector, so Sun should really be the one taking the bad press.
Notably, even after infection, it looks like FF itself stays clean. So sure, the attack can vector through any browser, but it's IE, in the end, that takes the hit. Which would be fine, if you didn't have to use IE for so dang much on a WinBox, like looking through your files and such. IE is embedded too deep into Windows, but that's not really news.
Also: It packs a heck of a Scumware whallop. The list of scumware that gets installed is pretty impressive. That, to me, poinst to some pretty high level co-operation among the scumware operators. Not really news, but good confirmation.
| 11:46 am on Mar 12, 2005 (gmt 0)|
|The question is, does any major site still use Java? |
My Bank's entire online Banking system is in Java (but I really wish that they just used a html system like everyone else).
| 4:11 pm on Mar 12, 2005 (gmt 0)|
Hanu is absolutely correct.
Conard, you gotta look before you peep about a decrease in MS market share would lead to an increase in atack program propagation.
The reason so many of these Win-based programs exist is because (1) the tools to clone them are so readily available, (2) the target's architecture is so integrated for the wrong reasons, (3) the target's security layer is so perforated and (4) the arrogance of its manufacturer spawns genuine cyber-road rage in lots of ne'er do wells. None of these elements exist in "alternative" operating systems ... well ... maybe Apple is headed that way ... but the OpenSource community, believe it or not (and please investigate for yourself) is making sure they never do exist in the core of Linux.
Ok ... maybe the arrogance will get to be a problem after awhile, but nobody ever took control of a computer using an arrogance hack.
I reassert that Hanu is correct. The biggest security hole in any environment is the human clicking the "Infect Me" button.
| 5:49 pm on Mar 12, 2005 (gmt 0)|
|I'll agree 100% that Windows is the problem and the target. |
I could not disagree more in this particular case.
Can't blame the operating system if it wasn't the operating system that installed the malware.
| 6:49 pm on Mar 12, 2005 (gmt 0)|
|Can't blame the operating system if it wasn't the operating system that installed the malware. |
Maybe you cant blame them but it should be they're duty to provide a safe environment. Am I not right?
| 12:44 am on Mar 13, 2005 (gmt 0)|
|Maybe you cant blame them but it should be they're duty to provide a safe environment. Am I not right? |
But by this logic you are saying that linux is not a safe environment because they didn't provide a solution to the recent phpbb exploits, or other exploits that arise through use of third party programs. It is the o/s responsibility to be as safe as it can be, but it is the administrator of the computer to determine what added software is safe or not.
In this case it's Sun's duty to provide a fix for this exploit, and they are at fault, not M$.
| 3:15 am on Mar 14, 2005 (gmt 0)|
Yeah, on this one you cant blame MS. really even the Sun's JRE, its working like its suposed to... in this case there is no one to blame except the user, once *you* give a java app rights to run ... its just like any other app... Im suprised this is even news :)
it could happen to Linux also, infact, if Linux were the dominant OS... I think there would be adware for it; dont you?
On further thought, the registry... the heart of Windows since 95 needs to be the focus for security enhancements... as in once you flag a key as locked... it should remain locked and when any user trys to access it, alert that user that access was atempted but denied. If access was desired, you can only set it through the application that initiated the lock (hmmm interesting) you cant add toolbars without entries nor "browser helper objects" or any of that crap.. Linux is file based (no registry) but really ... if you're foolish enough to run X as root you deserve what you get. ( I say this as Im running X as root :) )
| 1:34 pm on Mar 14, 2005 (gmt 0)|
I'm sorry but I have no sympathy, you've asked to view a Neil Diamond media file and you get a prompt from Integrated Search Technologies (according to the screenshot).
The certificate has two huge warning saying that it is not trusted.
We're not talking about fine print here folks, this is about as clear as a warning can get.
Regardless however, take a look at how the adware industry works and what you'll find in this situation is that the adware companies are actually the ones taking it in the rear end in this scenario.
1) Their adware targets only the IE browser (as is the case with DyFuCa).
2) The adware maker paid IST a bounty for that installation.
3) Because the user is a firefox user it is unlikely that DyFuCa will ever recoup their bounty.
This is really the equivalent of somebody putting sugar in the gas tank of a junk car that you keep in your garage imho.
This author is engaged in irresponsible journalism imho. Picking and choosing which facts to share with the public.
Of course he got what he wanted, front page news. Seems self serving.
| 1:40 pm on Mar 14, 2005 (gmt 0)|
I'm not sure one of those helps either. I found a fake Google toolbar on my home machine the other day - goodness knows what evil it was instigating.
I have a firewall and up to date IE. I've worked as a web developer for 8 years so I should know about these things, but the only thing that saved me is remembering that I'd never installed the Google Toolbar (real or fake) on my home machine!
| 2:31 pm on Mar 14, 2005 (gmt 0)|
"the adware companies are actually the ones taking it in the rear end in this scenario."
Exactly, the hijack installs are all aobut sticking it to the adware companies like 180 who inturn stick it to the advertiser. you think they want to be on a computer that is unuseable along side 300 other installs? its like buying exit traffic from a popup :).
| 3:41 pm on Mar 14, 2005 (gmt 0)|
Ugh, this has NOTHING to do with Firefox!
To quote from the excellent Spywareinfo.com weekly newsletter:
|Epidemic Of Firefox Spyware Infecting Computers Worldwide! |
Quick! Run for the hills! Firefox spyware is running rampant and infecting every computer in sight!
Sometimes I just want to bang my head on the desk and keep doing it until the desk surrenders unconditionally. If you were to believe several online news sites, there is an epidemic of spyware infecting Internet Explorer by way of Firefox. If you were also to believe that these accounts were written by competant journalists who have checked their facts, you would be wrong on both counts.
The situation to which these people are "reporting" (to use the term loosely) is about a malware installer using Sun's Java runtime environment. Let me explain what Java is.
Java is similar to Microsoft's .Net environment. It is a programming language which requires the user to have the "runtime environment" files installed on the computer. It also is similar to the Visual Basic runtime environment. You have to have Windows Scripting Host installed for visual basic files to run. For .Net or Java programs to operate, you have to have the proper files for those programming environments installed.
All current graphical web browsers include support for a Java "plug-in". What that does is allow small Java programs, or applets, to be run inside of a web browser window. You can do some pretty cool things with java applets. These applets are being run by the Java environment installed on the computer, not by the browser.
Normally, a Java applet runs in a "sandbox", a protected area of computer memory that cannot interact with the rest of the system. Unlike ActiveX, a Java applet can't install software without explicit permission because of this sandboxing. If a Java applet tries to access the system outside of its sandbox, a security alert will pop-up warning the user and asking if the user wishes to allow the action.
The Java applet causing the current ruckus installs a number of spyware and adware programs. However, before it can do that, a security prompt pops up. The pop-up is labeled "Warning - Security". It warns that the "Publisher authenticity can not be verified", that "the security certficate was issued by a company that is not trusted" and that "the security certificate has expired or is not yet valid". Under no circumstance does this rogue Java applet install software without the user giving it permission to do that. And to be honest, you'd have to be pretty dense to click "Yes" to such a prompt arriving out of nowhere.
What is truly sad here is that the news sites I mentioned earlier are portraying this as a spyware targeting and infecting the Firefox web browser. These news sites are doing a grave disservice to their readers by misleading them. This is not a problem with Firefox or with any other web browser.
It is Java running this installer. In fact, Java is doing exactly what it was designed to do by popping up the security warning when the installer attempts to bypass the protected sandbox. This is the very reason the sandbox exists, to stop malicious software exactly like this. This is an extra layer of security beyond what you'd see with ActiveX. With ActiveX, you either let it run or not. With Java, you either let it run or not and it also warns you when the Java applet is trying to do something suspicious after it has started to run. Yes, this sandboxing can be bypassed if a flaw exists and is discovered. Be sure you keep your installation of Java up to date because Sun fixes these flaws when they are discovered.
Whether or not this is a problem with Java is debatable. Personally, I don't see this installer as a problem. It can't do anything unless the user ignores a very stern security warning. Still, people can debate this all they want.
My frustration with this is that people are calling it a problem with Firefox. That is patently untrue. Every single browser is going to pop up a similar warning when it encounters this particular Java applet. If this had been labeled a problem with all web browsers, it still would be untrue, but at least it would not slander a particular browser. The people publishing this libelous nonsense should be ashamed of themselves and should print a prominent correction.
So there you have it. Leave Firefox alone!
| 5:54 pm on Mar 14, 2005 (gmt 0)|
"I found a fake Google toolbar on my home machine the other day"
bwahahaha, that took some imagination , balls and trademark infringment on there part :)
| 9:02 am on Mar 17, 2005 (gmt 0)|
that newsletter might not be so excellent - read this:
and i quote:
"Mike Healan’s original article (mentioned below) generated quite a flame war, one in which I found myself an unwitting - and unwilling - target. Based on the feedback I received, it appears as though I need to make some clarification of my position if I am ever going to be able to get back to writing something besides conciliatory e-mails to those who were upset by my article.
First of all, let me state that it was not my intention to disparage or damage anyone’s credibility and if I have done so inadvertently, I apologize to those persons. The ethics of the journalistic profession and my own personal integrity as a writer and analyst compel me to correct my error of having misrepresented the facts. What follows is my corrected position on the issue.
It all started, apprently, with an article by Mike Healan in the latest Spyware Weekly newsletter which has a headline that screams "Epidemic Of Firefox Spyware Infecting Computers Worldwide!" It certainly got my attention. I read on to find that according to Healan, some publications (Alternative browser spyware infects IE, Firefox Spyware infects IE?) allegedly claimed that a Java-based malware installer is a Firefox flaw that causes infections in IE.
I do not approve of the potentially inflammatory nature of the headlines in any of the articles because they can initially lead the reader to believe that Firefox IS the problem. But, having read all the articles in depth, brushing aside my own bias in favor of Firefox and against sensationalism, I must conclude that neither The Register nor vitalsecurity.org actually claimed Firefox was the source of any spyware infections of IE. I stand corrected.
I withdraw my original statements in agreement with the Spyware Weekly article and urge Mr. Healan to issue a correction."
And many people in the security field are actually now publicly stating that this DID target Firefox - ed bott:
"The developers of this exploit are clearly attempting to target Firefox, which has had 25 million downloads since last November and has gained a substantial amount of market share. The applet doesn't run on Internet Explorer. It might run on Opera (I don't have Opera installed here to test it), but Opera has minuscule share. the target is clearly Firefox, and this exploit was developed precisely because Firefox has been successful and because the formerly reliable ActiveX-based methods of installing spyware don't work with it."
Interesting that theres two definite points of view on this..
| 10:28 am on Mar 17, 2005 (gmt 0)|
Can anyone please tell me why I should believe that a person able to set up a blog and post articles in decent english doesn't understand the sentence "The security certificate was issued by a company that is not trusted."? Please!
Some people obviously need to play stupid in order to get news to write about. I guess that in a world where it is commonly accepted that right now Firefox is the safer browser than IE, bad news about Firefox is good news because it gets you traffic.
My site needs traffic too. So why don't I just play stupid:
|Spyware exploits Linux to infect a Windows partition |
I searched Google for websites about my favourite movie "Rodents Revenge" and the first result was a website that offered an Linux executable for download. Not knowing what a Linux executable is, I decided to download it in order to see for myself. I used Firefox to download but it wouldn't let me open the executable. So I saved it on disk instead and went back to that "Rodents Revenge" website. And yes, it said that you had to save the executable on disk and then open a shell and type "chmod u+x RodentsRevenge" which I did. I then double clicked the RodentsRevenge icon on KExplorer.
After that burning hell broke down on me. Can you believe it? The RodentsRevenge program was a virus! IT WIPED MY ENTIRE HARDDISK INCLUDING MY DATA ON THE WINDOWS PARTITION. THAT'S NOT FAIR! THIS CAN HAPPEN TO ANYBODY! FIREFOX DAMAGED MY WINDOWS PARTITION!
This is quote is hypothetical and completely made up by me, in case you wonder.
| 10:48 am on Mar 17, 2005 (gmt 0)|
"Can anyone please tell me why I should believe that a person able to set up a blog and post articles in decent english doesn't understand the sentence "The security certificate was issued by a company that is not trusted."? Please!"
Its quite clear that he is TESTING the install and walking us through what happens step by step. Im not entirely sure why people dont seem to be able to get that.
Again - many security experts are now agreeing that this WAS aimed at Firefox, though not specifically exploiting it.
To be fair, the original article is quite clear that Java is responsible, and also highlights that other browsers are affected.
The title is merely a question, which is appropriately answered. its also mentioned that the initial browser this was highlighted on was firefox, which seems as good a place as any to begin the investigation of the exploit.
After all, seeing as how Mozilla security team actually got involved in this (from the comments in the weblog), it would have been rather odd to then slant the article towards Opera / Netscape / someone else.
ive been following this for some time and the misconceptions around this are amazing.
| 12:33 pm on Mar 17, 2005 (gmt 0)|
> Its quite clear that he is TESTING the install and walking us through what happens step by step. Im not entirely sure why people dont seem to be able to get that.
People don't get that because it's not what he says he did. Read this:
|This is confusing. As an unsuspecting user, I'm not really sure what a "security certificate" is. The dialog box is different, but I just installed another program with a complicated dialog box and it seemed safe enough, so I guess it's probably OK to install this one too. Hmmm, maybe I should click the More Details button first, just to see what's there. |
Let me rephrase. The whole thing is pointless because it is based on the assumption that average users are as stupid as the blog author is pretending to be. If a user is stupid enough to ignore the above warning dialog, the very same user can cause all sorts of other havoc like downloading exes and running them. It's like saying: "IMPORTANT SECURITY NEWS: DO NOT CROSS THE FREEWAY BLINDFOLDED. YOU MIGHT STEP ON THE LAST SPECIMEN OF AN ENDANGERED KIND AND KILL IT."
| 12:55 pm on Mar 17, 2005 (gmt 0)|
But people DO click things. It only takes a second for a spurious yes / no prompt to appear and, whilst having a few apps open, performing various tasks, it only takes one slip of a finger / mis-key / accident and BAM, youre nailed.
also, java is rather innacurately hailed as "safe" because of the spurious notion of a sandbox. the way this exploit runs bypasses the sandbox entirely, and nowhere in the yes / no agreement does it mention that the applet is going to have a win32 exe download and install itself into the temp directory. add to that the fact that many average users using firefox will be under the misguided notion that theyre "safe" because theres no active x/ xpis are blocked etc and its quite right to assume this would catch more people out than a regular, bog standard popup appearing whilst using IE.
/ edit - id also like to point out that this particular install DOES effectively target firefox - because it checks what type of browser youre using.
if its IE, it gives you an active x prompt and NOT java.
if Firefox (or to a degree any mozilla based browser) then you get the java applet instead.
| 9:18 pm on Mar 17, 2005 (gmt 0)|
Subseven, what do you expect? Should Firefox read people's mind?
Dave, you clicked Yes but i'm sure you meant No, didn't you, Dave?
Now that would be scary, wouldn't it?
I have accidentally formatted my harddisk before. I have accidentally wiped a server. I have blown a electronic gadget because I used a cable that had the wrong polarity and so on and so on. I don't blame anyone but me.
Also, it does not make a difference that the spyware detects which browser it runs on. That's just portable programming ;-). It doesn't mean that FF or the JVM is broken.
| 11:11 am on Mar 18, 2005 (gmt 0)|
interesting that many security guys / commentators are now agreeing with the original author. found these from the many, many articles regarding this..
Ed bott tests the windows install:
Ed bott looks at the newsletter:
"Firefox is creating a platform that enables extensions and plug-ins to connect directly to the browser. You can't do that and then say, when an extension or plug-in behaves badly, "Hey, not our fault!"
| 4:24 pm on Mar 18, 2005 (gmt 0)|
Well, if the great Ed Bott says that, I'll have to give in.