Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Java Flaw Enables Cross-Browser Attack

By David Worthington, BetaNews

March 14, 2005, 10:39 PM

In what may be the first known example of a cross-browser attack, users who made the switch to Mozilla Firefox to escape the specter of Internet Explorer's security failures may suddenly find themselves repossessed.

Vitalsecurity has uncovered a vulnerability that exploits a hole in Sun's Java Runtine Environment Environment that, when used in combination with Firefox and other alternative browsers, is capable of installing malware by invoking Internet Explorer.

According to the security bulletin, the attack can be executed through an alternative browser when even Internet Explorer's security settings are at their highest. On its own, IE blocks the malware's installation, which means another browser must be used for the attack to succeed.

In an example, when Firefox users visit a site containing an unsigned Java applet, the user will be prompted through a security dialog to run the software. If the user agrees to load the applet, their machine will be infected and an instance of Internet Explorer will load.

Details of the attack can be found at Vitalsecurity's Web site.

Add a Comment (17 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By casino8net

edited Jul 19, 2005 - 11:36 PM

agree

www.linjin365.com

Score: 0

By Biozfear

posted Mar 15, 2005 - 5:39 PM

The problem is, IE shouldn't have been hit in this way - especially as it was locked down so tightly, and wasn't even being used at the time. Vaguely worried by this, I tried some other browsers...the results aren't exactly fantastic reading for the Mozilla Foundation.

Firefox 1.0.1 - The install works.
Mozilla - The install works.
Avant browser 10.0 (build 153) - The install works.
Netscape 7.2 - The damn thing kept crashing, but eventually I was able to discover that the install works.
NetCaptor 7.5.4 - The install is blocked.
Opera 7.5.4 - The install is blocked.

As you can see, with Opera, its safe :)
thats why I prefer using Opera instead of other browsers...
IE is good in a way still... FF is now finally proven that aint that good....

tough sh*t...

Score: 0

By RobertM

posted Mar 15, 2005 - 5:57 PM

It's not like Mozilla separately develops all the products you listed above. If one of them is affected, all of them probably are. It's not like they have a worse record than anyone else because three of their products were affected.

Score: 0

By Mike Singer

edited Mar 15, 2005 - 12:09 PM

This is a perfect example for all of those people who think Firefox is made of steel. If it can be built, it can be unbuilt.

No web browser is 100% perfect, so don't buy into the claim that Firefox, or any other browser, will fully protect you from security threats. If you're using Firefox because you like its features, that's fine, but I am tired of hearing people (mostly computer illiterate people) say that Firefox will keep you safe.

Score: 0

By maoge

posted Apr 17, 2005 - 9:35 PM

Yes, I do agree. As more and more people use Firefox. More bugs will be revealled.

James
http://www.du818.com

Score: 0

By eunichman

posted Mar 15, 2005 - 4:56 AM

This story is about a exploit that is currently in circulation.. the exploit doesnt unknowingly do anything. on browsers that arent IE engine based, it pops up a window that notifies the user that the certificate from the issuing site is expired and that if you click yes then you risk downloading possibly malicious code. if you click no then nothing happens. if you click yes, it installs a buncha links, startrup porograms, and opens up tons of spam sites.

This isnt anything but a simple exploit that requires a person to be a total moron to happen. When you go to a website and their certificate is expired and the content is unknown, then if you tell the browser to proceed, you deserve what you get.

Score: 0

By GoodThings2Life

posted Mar 15, 2005 - 10:09 AM

You overlook the fact that there are an unfortunately large number of "morons" (I would prefer the term uneducated users, but whatever) in the world these days.

Score: 0

By eunichman

posted Mar 16, 2005 - 2:18 AM

like I said, if a person sees a window pop up telling them the contect is from an expired certificate and is of unknown possibly malicious content, if thery choose to continue anyhow they get what they deserve. That's like driving down the road and seeing a sign saying road closed, bridge out, continue at your own risk, any person with 1/2 a brain would not continue. those who do deserve what they get

Score: 0

By adamlau

posted Mar 15, 2005 - 6:28 AM

Grab yourself a copy of XPLite and remove all traces of IE, including the HTML rendering engine. No more IE-based worries. Period.

Score: 0

By bourgeoisdude

edited Mar 15, 2005 - 9:30 AM

"ON ITS OWN, IE blocks the malware's installation, which means ANOTHER browser must be used for the attack to succeed. " [emph. added] I don't care what windows you use (unless unauthorized or illegally modified)--if you use Microsoft Windows 2000 or newer, you have ActiveX: Firefox, Opera, IE, whatever. You're stuck with ActiveX. Try using Linux...or even MacOS if you like having a decent GUI. As for XPlite, most network admins like compatability at least...

Score: 0

By GoodThings2Life

posted Mar 15, 2005 - 10:06 AM

It has nothing to do with ActiveX this time, it has to do with JAVA... moreover, it's Sun's Java that is the problem.

Incidentally, Sun released 1.5.02 version of their Runtime yesterday, it would be interesting to see if that issue is resolved.

Score: 0

By eunichman

posted Mar 16, 2005 - 2:20 AM

dont blame anyone but the end user for this one. Sun's Java TRIES to warn you that you are doing something you should not be doing. that you choose to do so anyway makes YOU at fault, not Sun Java

Score: 0

By mjm01010101

posted Mar 15, 2005 - 11:20 AM

The vulnerability is user error, not java. Java properly warns the user not to trust the code.

The problem ultimately lies in making users admins of their own systems and letting code from the net have local file access. It's a problem that will *never* go away because too many programs need that access. Java Sandbox or not, this is an industry problem than can effect many stupid users.

Score: 0

By bourgeoisdude

edited Mar 15, 2005 - 2:46 PM

Use of the vulnerability causes a malicious user/software to be able to use ActiveX. Basically, IE would block the initial attempt in and of itself, but if another browser has the issue, the vulnerability will likely be used to run a malicious ActiveX script. If IE were completely gone there would be no reason to exploit the Java flaw (no IE means no ActiveX), but the Java flaw does not work in IE itself (follow that? I may not...)--so we're both right. Sort of. :)

As a side note, yes, this is a "bogus" flaw, much like the "flaws" in IE that Secunia claims have not been patched. I like to think of this sort of issue as "a means for third parties to mislead end users." Is that a vulnerability? Is my newspaper a security flaw, as advertisers may sneak an ad that is misleading? Can I get a computer virus through "malicious" TV commercials? Yeah I am exaggerating a little...I may not like Firefox, but geez, don't point the finger on this one--it just isn't their problem! (I do agree FF is not made of stell, however.)

Score: 0

By XiND

edited Mar 15, 2005 - 2:48 PM

> (no IE means no ActiveX)

ActiveX is not part of IE, it's part of Windows. In fact, the system that ActiveX is based on was already in Windows 3.1.

ActiveX is a way to build components that can be used cross-application as well as cross-language (if you don't mind the OCX/DLL file tagging along with your app on deployment). It's just not built for IE, period. IE makes ActiveX available for web pages, which (since an ActiveX object is free to do anything in the OS) is a painful mistake. But it does have its many legitimate uses.

Anyone who thinks ActiveX by itself (in other words, unattached to IE) is anymore of a problem than Java, needs to zip it and go away.

Score: 0

By Biozfear

posted Mar 15, 2005 - 5:51 PM

well... i wonder why was this exploit out...
nevertheless, means new updates very soon.
one simple question: how da hell ya remove that exploit in case you clicked on yes?

still 70% of home pc users make mistakes and click on yes....

simple concern...

Score: 0

By Maxwolf

posted Mar 16, 2005 - 8:05 AM

Maybe adamlau was being sarcastic...

Score: 0

Dec 1 - 11:19 AM ET DTV broadcasters could make another transition to mobile next year

Nov 29 - 1:41 PM ET Teacher must still surrender license in bizarre 'exposure to porn' suit

Nov 26 - 9:19 PM ET Spambots edge back online post-McColo

Nov 26 - 9:17 PM ET Connecting the Black Friday dots: What to expect from CE retail

Nov 26 - 9:09 PM ET Google admits that its iPhone voice search breaks Apple's rules

Nov 26 - 5:15 PM ET Apple uses DMCA as a weapon against an open source iTunes hack

Nov 26 - 5:13 PM ET US DHS eases off its '10+2' import rules

Nov 26 - 5:08 PM ET IBM unveils 'cloud validation' to harden security and lower TCO

Nov 26 - 2:15 PM ET Thanks, EchoStar: TiVo nears its first profitable year

Nov 26 - 1:49 PM ET Google integrates Earth-like controls in new Maps interface