Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: incrediBILL
Christopher Boyd, a security researchers at Vitalsecurity.org, said the malware installer was capable of working on a range of browsers with native Java support.
"The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there, including Firefox, Mozilla, Netscape and others. In the original test, only Opera and Netcaptor didn't fall for the install but Daniel Veditz, who is the head of Mozilla security, has since confirmed to me that this will also work in Opera and Netcaptor," he explained.
Switching to Firefox helps a little because you make things a bit harder, but it is like putting a stronger padlock on a safe made out of chocolate. If you want truly better security, look at alternative operating systems, not just alternative browsers.
The question is, does any major site still use Java?
We need to regress to the age of the web before Java and ActiveX...
or enable brain. Before executing the applet, Firefox shows a big yellow exclamation mark dialog telling the user that the applet comes from an untrusted source and that its certificate is invalid or expired.
And this is not at all specific to Firefox. It affects every browser that has the JRE's browser plugin installed and enabled.
Yes, it is a serious security issue, but for once, IE and MS aren't to blame. Neither is FF, or any other browser, for that matter.
JRE is the attack vector, so Sun should really be the one taking the bad press.
Notably, even after infection, it looks like FF itself stays clean. So sure, the attack can vector through any browser, but it's IE, in the end, that takes the hit. Which would be fine, if you didn't have to use IE for so dang much on a WinBox, like looking through your files and such. IE is embedded too deep into Windows, but that's not really news.
Also: It packs a heck of a Scumware whallop. The list of scumware that gets installed is pretty impressive. That, to me, poinst to some pretty high level co-operation among the scumware operators. Not really news, but good confirmation.
Conard, you gotta look before you peep about a decrease in MS market share would lead to an increase in atack program propagation.
The reason so many of these Win-based programs exist is because (1) the tools to clone them are so readily available, (2) the target's architecture is so integrated for the wrong reasons, (3) the target's security layer is so perforated and (4) the arrogance of its manufacturer spawns genuine cyber-road rage in lots of ne'er do wells. None of these elements exist in "alternative" operating systems ... well ... maybe Apple is headed that way ... but the OpenSource community, believe it or not (and please investigate for yourself) is making sure they never do exist in the core of Linux.
Ok ... maybe the arrogance will get to be a problem after awhile, but nobody ever took control of a computer using an arrogance hack.
I reassert that Hanu is correct. The biggest security hole in any environment is the human clicking the "Infect Me" button.
joined:Mar 8, 2002
I'll agree 100% that Windows is the problem and the target.
I could not disagree more in this particular case.
Can't blame the operating system if it wasn't the operating system that installed the malware.
Maybe you cant blame them but it should be they're duty to provide a safe environment. Am I not right?
But by this logic you are saying that linux is not a safe environment because they didn't provide a solution to the recent phpbb exploits, or other exploits that arise through use of third party programs. It is the o/s responsibility to be as safe as it can be, but it is the administrator of the computer to determine what added software is safe or not.
In this case it's Sun's duty to provide a fix for this exploit, and they are at fault, not M$.
it could happen to Linux also, infact, if Linux were the dominant OS... I think there would be adware for it; dont you?
On further thought, the registry... the heart of Windows since 95 needs to be the focus for security enhancements... as in once you flag a key as locked... it should remain locked and when any user trys to access it, alert that user that access was atempted but denied. If access was desired, you can only set it through the application that initiated the lock (hmmm interesting) you cant add toolbars without entries nor "browser helper objects" or any of that crap.. Linux is file based (no registry) but really ... if you're foolish enough to run X as root you deserve what you get. ( I say this as Im running X as root :) )
The certificate has two huge warning saying that it is not trusted.
We're not talking about fine print here folks, this is about as clear as a warning can get.
Regardless however, take a look at how the adware industry works and what you'll find in this situation is that the adware companies are actually the ones taking it in the rear end in this scenario.
1) Their adware targets only the IE browser (as is the case with DyFuCa).
2) The adware maker paid IST a bounty for that installation.
3) Because the user is a firefox user it is unlikely that DyFuCa will ever recoup their bounty.
This is really the equivalent of somebody putting sugar in the gas tank of a junk car that you keep in your garage imho.
This author is engaged in irresponsible journalism imho. Picking and choosing which facts to share with the public.
Of course he got what he wanted, front page news. Seems self serving.
or enable brain.
I'm not sure one of those helps either. I found a fake Google toolbar on my home machine the other day - goodness knows what evil it was instigating.
I have a firewall and up to date IE. I've worked as a web developer for 8 years so I should know about these things, but the only thing that saved me is remembering that I'd never installed the Google Toolbar (real or fake) on my home machine!
Exactly, the hijack installs are all aobut sticking it to the adware companies like 180 who inturn stick it to the advertiser. you think they want to be on a computer that is unuseable along side 300 other installs? its like buying exit traffic from a popup :).
To quote from the excellent Spywareinfo.com weekly newsletter:
Epidemic Of Firefox Spyware Infecting Computers Worldwide!
Quick! Run for the hills! Firefox spyware is running rampant and infecting every computer in sight!
Sometimes I just want to bang my head on the desk and keep doing it until the desk surrenders unconditionally. If you were to believe several online news sites, there is an epidemic of spyware infecting Internet Explorer by way of Firefox. If you were also to believe that these accounts were written by competant journalists who have checked their facts, you would be wrong on both counts.
The situation to which these people are "reporting" (to use the term loosely) is about a malware installer using Sun's Java runtime environment. Let me explain what Java is.
Java is similar to Microsoft's .Net environment. It is a programming language which requires the user to have the "runtime environment" files installed on the computer. It also is similar to the Visual Basic runtime environment. You have to have Windows Scripting Host installed for visual basic files to run. For .Net or Java programs to operate, you have to have the proper files for those programming environments installed.
All current graphical web browsers include support for a Java "plug-in". What that does is allow small Java programs, or applets, to be run inside of a web browser window. You can do some pretty cool things with java applets. These applets are being run by the Java environment installed on the computer, not by the browser.
Normally, a Java applet runs in a "sandbox", a protected area of computer memory that cannot interact with the rest of the system. Unlike ActiveX, a Java applet can't install software without explicit permission because of this sandboxing. If a Java applet tries to access the system outside of its sandbox, a security alert will pop-up warning the user and asking if the user wishes to allow the action.
The Java applet causing the current ruckus installs a number of spyware and adware programs. However, before it can do that, a security prompt pops up. The pop-up is labeled "Warning - Security". It warns that the "Publisher authenticity can not be verified", that "the security certficate was issued by a company that is not trusted" and that "the security certificate has expired or is not yet valid". Under no circumstance does this rogue Java applet install software without the user giving it permission to do that. And to be honest, you'd have to be pretty dense to click "Yes" to such a prompt arriving out of nowhere.
What is truly sad here is that the news sites I mentioned earlier are portraying this as a spyware targeting and infecting the Firefox web browser. These news sites are doing a grave disservice to their readers by misleading them. This is not a problem with Firefox or with any other web browser.
It is Java running this installer. In fact, Java is doing exactly what it was designed to do by popping up the security warning when the installer attempts to bypass the protected sandbox. This is the very reason the sandbox exists, to stop malicious software exactly like this. This is an extra layer of security beyond what you'd see with ActiveX. With ActiveX, you either let it run or not. With Java, you either let it run or not and it also warns you when the Java applet is trying to do something suspicious after it has started to run. Yes, this sandboxing can be bypassed if a flaw exists and is discovered. Be sure you keep your installation of Java up to date because Sun fixes these flaws when they are discovered.
Whether or not this is a problem with Java is debatable. Personally, I don't see this installer as a problem. It can't do anything unless the user ignores a very stern security warning. Still, people can debate this all they want.
My frustration with this is that people are calling it a problem with Firefox. That is patently untrue. Every single browser is going to pop up a similar warning when it encounters this particular Java applet. If this had been labeled a problem with all web browsers, it still would be untrue, but at least it would not slander a particular browser. The people publishing this libelous nonsense should be ashamed of themselves and should print a prominent correction.
So there you have it. Leave Firefox alone!
and i quote:
"Mike Healan’s original article (mentioned below) generated quite a flame war, one in which I found myself an unwitting - and unwilling - target. Based on the feedback I received, it appears as though I need to make some clarification of my position if I am ever going to be able to get back to writing something besides conciliatory e-mails to those who were upset by my article.
First of all, let me state that it was not my intention to disparage or damage anyone’s credibility and if I have done so inadvertently, I apologize to those persons. The ethics of the journalistic profession and my own personal integrity as a writer and analyst compel me to correct my error of having misrepresented the facts. What follows is my corrected position on the issue.
It all started, apprently, with an article by Mike Healan in the latest Spyware Weekly newsletter which has a headline that screams "Epidemic Of Firefox Spyware Infecting Computers Worldwide!" It certainly got my attention. I read on to find that according to Healan, some publications (Alternative browser spyware infects IE, Firefox Spyware infects IE?) allegedly claimed that a Java-based malware installer is a Firefox flaw that causes infections in IE.
I do not approve of the potentially inflammatory nature of the headlines in any of the articles because they can initially lead the reader to believe that Firefox IS the problem. But, having read all the articles in depth, brushing aside my own bias in favor of Firefox and against sensationalism, I must conclude that neither The Register nor vitalsecurity.org actually claimed Firefox was the source of any spyware infections of IE. I stand corrected.
I withdraw my original statements in agreement with the Spyware Weekly article and urge Mr. Healan to issue a correction."
And many people in the security field are actually now publicly stating that this DID target Firefox - ed bott:
"The developers of this exploit are clearly attempting to target Firefox, which has had 25 million downloads since last November and has gained a substantial amount of market share. The applet doesn't run on Internet Explorer. It might run on Opera (I don't have Opera installed here to test it), but Opera has minuscule share. the target is clearly Firefox, and this exploit was developed precisely because Firefox has been successful and because the formerly reliable ActiveX-based methods of installing spyware don't work with it."
Interesting that theres two definite points of view on this..
Some people obviously need to play stupid in order to get news to write about. I guess that in a world where it is commonly accepted that right now Firefox is the safer browser than IE, bad news about Firefox is good news because it gets you traffic.
My site needs traffic too. So why don't I just play stupid:
Spyware exploits Linux to infect a Windows partition
I searched Google for websites about my favourite movie "Rodents Revenge" and the first result was a website that offered an Linux executable for download. Not knowing what a Linux executable is, I decided to download it in order to see for myself. I used Firefox to download but it wouldn't let me open the executable. So I saved it on disk instead and went back to that "Rodents Revenge" website. And yes, it said that you had to save the executable on disk and then open a shell and type "chmod u+x RodentsRevenge" which I did. I then double clicked the RodentsRevenge icon on KExplorer.
After that burning hell broke down on me. Can you believe it? The RodentsRevenge program was a virus! IT WIPED MY ENTIRE HARDDISK INCLUDING MY DATA ON THE WINDOWS PARTITION. THAT'S NOT FAIR! THIS CAN HAPPEN TO ANYBODY! FIREFOX DAMAGED MY WINDOWS PARTITION!
This is quote is hypothetical and completely made up by me, in case you wonder.
Its quite clear that he is TESTING the install and walking us through what happens step by step. Im not entirely sure why people dont seem to be able to get that.
Again - many security experts are now agreeing that this WAS aimed at Firefox, though not specifically exploiting it.
To be fair, the original article is quite clear that Java is responsible, and also highlights that other browsers are affected.
The title is merely a question, which is appropriately answered. its also mentioned that the initial browser this was highlighted on was firefox, which seems as good a place as any to begin the investigation of the exploit.
After all, seeing as how Mozilla security team actually got involved in this (from the comments in the weblog), it would have been rather odd to then slant the article towards Opera / Netscape / someone else.
ive been following this for some time and the misconceptions around this are amazing.
People don't get that because it's not what he says he did. Read this:
This is confusing. As an unsuspecting user, I'm not really sure what a "security certificate" is. The dialog box is different, but I just installed another program with a complicated dialog box and it seemed safe enough, so I guess it's probably OK to install this one too. Hmmm, maybe I should click the More Details button first, just to see what's there.
Let me rephrase. The whole thing is pointless because it is based on the assumption that average users are as stupid as the blog author is pretending to be. If a user is stupid enough to ignore the above warning dialog, the very same user can cause all sorts of other havoc like downloading exes and running them. It's like saying: "IMPORTANT SECURITY NEWS: DO NOT CROSS THE FREEWAY BLINDFOLDED. YOU MIGHT STEP ON THE LAST SPECIMEN OF AN ENDANGERED KIND AND KILL IT."
also, java is rather innacurately hailed as "safe" because of the spurious notion of a sandbox. the way this exploit runs bypasses the sandbox entirely, and nowhere in the yes / no agreement does it mention that the applet is going to have a win32 exe download and install itself into the temp directory. add to that the fact that many average users using firefox will be under the misguided notion that theyre "safe" because theres no active x/ xpis are blocked etc and its quite right to assume this would catch more people out than a regular, bog standard popup appearing whilst using IE.
/ edit - id also like to point out that this particular install DOES effectively target firefox - because it checks what type of browser youre using.
if its IE, it gives you an active x prompt and NOT java.
if Firefox (or to a degree any mozilla based browser) then you get the java applet instead.
Dave, you clicked Yes but i'm sure you meant No, didn't you, Dave?
Now that would be scary, wouldn't it?
I have accidentally formatted my harddisk before. I have accidentally wiped a server. I have blown a electronic gadget because I used a cable that had the wrong polarity and so on and so on. I don't blame anyone but me.
Also, it does not make a difference that the spyware detects which browser it runs on. That's just portable programming ;-). It doesn't mean that FF or the JVM is broken.
Ed bott tests the windows install:
Ed bott looks at the newsletter:
"Firefox is creating a platform that enables extensions and plug-ins to connect directly to the browser. You can't do that and then say, when an extension or plug-in behaves badly, "Hey, not our fault!"