A Revolution is the Solution
There are actually legitimate reasons for Java applets to have greater access access to the machine. I've had to use it myself to allow users to print from an applet. That's why the runtime pops up the warning. It allows developers the option of offering greater functionality while giving users the control over what the applet as access to. If the user chooses to ignore the warning then they have only themselves to blame.
The applet installer doesn't exploit any vulnerability in the Java runtime or the browser. It exploits human trust, naïveté and the desire to get something for nothing.
Nonsense.
Simple as that.
Don't get me wrong here - I'm not defending firefox. As a matter of fact, I don't even like firefox. But the fact remains, this article is utter nonsense!
In the fight against spyware, malware, viruses, spam, obesity, and all the nasties this confounded internet is apparently plagued with, it's no secret that the greatest flaw - worse than the latest SP2 vulnerability, worse than the newest virus that's going to wreak havock on our multimedia phones, web browsers, and sandwich toasters, worse than whatever the latest government policy change is - the greatest flaw is ignorance.
The second greatest flaw is the apparent lack of basic literacy in "the majority of internet users" (tm).
The problem is, unfortunately, when a dialog box pops up from Spyware McSpiesALot Industried Ltd asking if you want to install the latest trojan horse, many a curious soul (like the author) click Yes, out of childlike innocence and curiosity.
Unfortunately, when the result of clicking that sneaky little button that was so cunningly disguised in that innocent looking 'Security Warning' is exactly what you would expect it to be, so many poor souls have the unfortunate tendancy to be surprised, confused, and, perplexingly, angered.
The curiosity that is today manifested in clicking 'Yes' to a security warning is the same curiosity that made you open those email attachments that you weren't expecting, send your name, address, and credit card number to that friendly sounding nigerian king that wanted to send you his country's national wealth, and download that innocent looking dialler.
The fact is you get what you ask for. If you walk into a prison and hand an inmate your credit card, you don't expect your credit rating to go up. If you eat nothing but McDonalds for a month, you don't expect your weight to go down. If you click 'yes' to every security warning you don't understand, you don't expect your computer to last very long.
If the date of this article had been March 09, 1999, perhaps you could be forgiven. Here in 2005, my grandmother knows what spyware is.
If you're a curious soul, buy a telescope and watch your neighbours' television.
In this day and age, the last thing we need is another hit showing up on a spyware company's website telling them that there are still people out there who are dumb enough to install their software.
Blode, what a dumbass post that was. Wow! Your grandmother knows what spyware is?? oh well done!! better tell all those hundreds of support forums and the antispyware vendors to give up and go home, because apparently theres no danger from spyware anymore. Doh.
If the cert had been issued by Thawte then it would have been trusted automatically, and theres nothing to stop IST from purchasing one of those.
Also, the newest form of this exploit hammers CWS exploits in IE so you DONT EVEN NEED TO CLICK YES TO BECOME INFECTED.
seeing as this post is apparently "so behind", its amazing how (much later on) everyone is now buzzing about a new variant of this kind of install and no one is bitching at them. so in the interest of fair play, youd better check out Suzi's blog from spywarewarrior, a thread by Eric Howes at DSL reports, Wayne Porter of X Block software's Spywareguide.com, a post on Ben Edelmans site and tell them theyre behind the times too. Or are you content to keep bashing at a thread that the original author doesnt even care about anymore because he's busy helping out with the new variant?
Seems the only person behind the times here is you!
http://www.broadbandreports.com/
...remark,13144000
http://netrn.net/spywareblog/arc...d-web-we-weave/
http://www.benedelman.org/news/0...s/041105-
1.html
http://www.spywareguide.com/
arti...nstall__72.html
Hey, you get a big warning box with the title "SECURITY WARNING" and you are wondering that your system is infected if you press YES ?
It would be the same for mails:
"Hey, I got a mail from an unkown sender with an .exe attachment and I executed it. Now my system is infected."
Question:
How should software defend the system from stupid users ?
a good question Matthias, though as the original article has rightly pointed out - end users will ALWAYS click yes to things. though it looks like IST are going to upgrade to a Thawte certificate so clicking "yes" wont matter soon anyway. Especially if you see the latest developments regarding IRC...
http://www.revenews.com/waynepor...ves/
000594.html
A few things to point out.
That security warning is not "innocent looking".
Sub-seven is correct in saying that there are browser holes that malicious software can get through, but this is not the right place to post that. This thread, sub-seven, is regarding a specific, incoherent article that describes what might happen to an idiot, but because the ?journalist? is himself an idiot -- Being a curious soul, I agreed to the install -- he blames technology.
It's true that most end users will click yes, but whoever does, even if it is a majority, deserves what they requested.
Mathias asks, "How should software defend against stupid users?" There are some measures that can be taken to protect idiots from themselves, but there are two problems.
* Is it ethically ok to prevent someone from installing software that they really want to install?
* "As soon as someone invents a fool-proof way, someone else invents a better fool."
Also, does a certified, signed, applet have the authority to walk outside the java sandbox without permission?
One thing for sure, when the applet or ActiveX control has a name like "Integrated Search Technologies" common sense says it's something like spyware in the form of a search hijack. The fact it asks first, and what a given browser's defaults are for such things is what really matters. Also keep in mind that if there is a way to get around such restrictions in the target browser, that's when you can point your finger at that browser. If an informed and careful user can't escape the issue, that's the fault of the software. The most valid question presented here is if Firefox should obstruct interactions with IE. Would seem doing that would mean not interacting with the system almost completely - thanks to heavy integration. Thanks again Microsoft.
WK - I'm not a "journalist", I'm a security researcher writing from the point of view of someone who doesn't KNOW about such an install. If you can't grasp that, perhaps you should hit the books for a few more years! 
Fixing the user. When you cannot trust them to click the right button.
Two ways of preventing Java software installs.
Sun JRE Ver 1.5
1) Go to the control panel, open the Java cpl, click on the Advanced tab, open the Security node and clear the checkboxes on both "Allow User to Grant Permissions" checkboxes. This has to be done for each user.
2)Multiple users
It gets a little long winded and frustrating to have to open each user's login and change the checkboxes. And then when you add a new user, the default is with the boxes checked. Sun Java central management to the rescue!!
This will allow you to make all the security settings to Java from one central location so every user on the computer has the same security settings applied.
Files needed to do this are in contained in the %windir%SunJavaDeployment directory where %windir% is the C:WINDOWS directory.
Two files are needed: deployment.config deployment.properties
Contents of deployment.config:
#deployment.config
deployment.system.config=file:C:\WINDOWS\Sun\Java\
Deployment\deployment.properties
deployment.system.config.mandatory=true
Contents of deployment.properties:
#deployment.properties
deployment.security.askgrantdialog.show=false
deployment.security.askgrantdialog.notinca=false
deployment.browser.vm.mozilla=true
deployment.browser.vm.iexplorer=true
The next time each user starts Java the above settings will be installed in their user profile.
Oh, the joy of blogging
This is the proper line above
deployment.system.config=file\:C\:\\WINDOWS\\Sun\\
Java\\ Deployment\\deployment.properties
Heh, yeah Haloscan IS a pain but the standard Blogger.com setup doesnt include trackbacks which I need 
Nice info.
Thank goodness for the Mac. (just trolling)
Don't forget Ipods
You're funny. You use Firefox and go to a website that you KNOW attempts to install malicious software, the browser DOES pop up a warning saying the certificate is NOT trustworthy and you hit "yes - please install this malicious software, and thank you".
If I had read this story from Mr Anyone, I would accept this as "this man is just naive, in what kind of world is he living?". But from a guy who present himself as a "internet security investigator", I say it's just plain shameful. Firefox does its job: it warns you. It's not your browser's role to decide for you.
You probably are living in some sort of wonderland where you lead your "revolution". Paperghost... maybe you should go back to paperwork, it's MUCH safer.
Here's some reading material to cut your ego down the size.
http://www.spywareinfo.com/
newsl...r13.php#firefox
Dude....this is OLD. Where were you when this was all over the news and this page had about six million comments posted on it before haloscan removed the oldest entries?
For those of us who came in late, the Slashdot followup.
On the evidence available to me, the root cause of this particular problem seems to be that Firefox ships (or at any rate, shipped; likely it's been fixed by now) with a default setting of "Enable Java if it's already installed". Not real bright, especially for a browser which is supposed to be so much more secure than IE.
yeah, caused quite the stir, didn't it? - amazing, considering i thought it might be, you know, useful if someone documented that this thing was out there...
....we had a forum holy war, people arguing all over the place and a whole lotta craziness. still, good clean fun and naughty ysbweb recently got spanked by the ASC's complaint to the FTC for their "wonderful" practices.
And justice is served...
I've used FF for years, and I also use common sense. I have both java and xpi install turned off all the time unless I need them. No browser in and of itself will ever be 100% safe.
well said macxek
Olé shit man...
This makes no sense... you download an EXE in firefox... of course it can open up internet explorer. it didnt instal without your consent and this isnt a security hole in firefox its a noob user... if you were pretending to be an inexperienced user why didnt you say so...
I wrote a long and elaborated rant about user input and internet education, but i gave up, after seeing the article http://www.spywareinfo.com/
newsl...r13.php#firefox
True. Check it out. Nuff said. That and that I draw the line at malware thad DOESN'T ASK for permission to install. Questions like "What if I'd clicked Yes" defeat the purpose of the whole Warning system. Jeez. Set your comp to block all, to be sure none of these cunning pieces of software can get through and install themselves... oh, wait, this one WAS BLOCKED, you allowed it in....
"That and that I draw the line at malware thad DOESN'T ASK for permission to install. Questions like "What if I'd clicked Yes" defeat the purpose of the whole Warning system."
Youre kind of missing the point, lots of people do just *that* and the above writeup was the first from a mainstream security blog to cover this Java applet. With that in mind, how do you propose someone write about what the applet did, and warn people about the dangers of clicking "Yes" to this applet, without actually writing about it?
Oh and by the way, the writeup was done shortly after the certificate for the applet expired. Because of the way it was set up, it was installing automatically on many PCs.
More reading on the subject: http://research.sunbelt-
software...are_Mozilla.pdf
Just because you draw the line at "Malware you have to agree to install", doesn't mean the people who make it have. Or, indeed, the people who fall for installing it. Or is it not a problem merely because you don't deem it to be so?
Cheers Guys. I'm still working my way through my infected firefox - am getting no where fast as I'm a bit useless at this stuff but your info's been useful and I'll go away and try out that download. Just wish there was a plugin that would stop me getting bloody new windows opening with rubbish in them.
Commenting by HaloScan
