×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Java Popup you Can't Stop

CmdrTaco posted more than 6 years ago | from the once-you-pop dept.

Security 480

An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser). Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

480 comments

Don't spread this! (5, Funny)

LarsG (31008) | more than 6 years ago | (#20155047)

For the love of all that is holy, please don't promote this story to the /. frontpage. The less advertisers that are made aware of this the better.

Re:Don't spread this! (5, Funny)

Anonymous Coward | more than 6 years ago | (#20155151)

NO WAY! Information is meant to be FREEEEEEEEEEEEEEEEEEE! YOU should keep your mouth shut, you fascist pig! I bet you voted for Bush!

Re:Don't spread this! (4, Funny)

LarsG (31008) | more than 6 years ago | (#20155285)

Information wants to be anthropomorphised and all that, but I'd still prefer this one to stay below the main stream media radar until Sun can get a fix out.

As for voting Bush. Since I'm not a US citizen, that would require use of the password '12345678'.

Re:Don't spread this! (4, Insightful)

elrous0 (869638) | more than 6 years ago | (#20155381)

Only promoting it and having it become a threat to them (i.e. lawsuits, users uninstalling Java on their systems, webpage designers moving away from it) will motivate them to fix the problem. If the threat is kept under wraps, they have no real motivation to move on it until phishers are already using it in the wild.

Re:Don't spread this! (1)

jimstapleton (999106) | more than 6 years ago | (#20155265)

I guess Java will have to join Flash in my don't install/run list...

Personally, I'm glad for the warning.

Re:Don't spread this! (1)

Threni (635302) | more than 6 years ago | (#20155461)

> I guess Java will have to join Flash in my don't install/run list...

I can't remember when I last saw Java on a webpage. Any web technology which I can't control such that I'm not threatened by phishers and other web dweebs will be disabled. It's not as if you need Java to do interesting web pages.

Re:Don't spread this! (1, Informative)

jimstapleton (999106) | more than 6 years ago | (#20155501)

Actually, I've seen it a few times. I just downloaded NoScript so I can limit it to the pages wehre I need it. Kinda wish I had downloaded this one sooner.

Who'd have thought it? (3, Funny)

nagora (177841) | more than 6 years ago | (#20155049)

There are people who still browse with java switched on?! That is SO 1990's.

Doesn't work.. (0)

Anonymous Coward | more than 6 years ago | (#20155059)

I've tried with Iceweasel 2.0.0.5 with NoScript, and NoScript blocked it nicely.

Re:Doesn't work.. (3, Informative)

gEvil (beta) (945888) | more than 6 years ago | (#20155191)

That might be why the author wrote "In the meanwhile, NoScript is your friend ;)" in his blog.

and the wet dream of any victim (3, Insightful)

Raleel (30913) | more than 6 years ago | (#20155061)

is to get their phone number, call them up, and inform them that they will never buy/use whatever it is they are selling, and will be telling 25 of their closest friends in person because of this practice. Certainly, you aren't limited to 25, but that is the old saying.

Re:and the wet dream of any victim (2, Insightful)

91degrees (207121) | more than 6 years ago | (#20155099)

There's no such thing as bad publicity.

Actually that's not totally true, but telling people not to use a product may backfire if it means more people have heard of the product.

Re:and the wet dream of any victim (1)

sayfawa (1099071) | more than 6 years ago | (#20155327)

Scenario 1:
Me: Have you heard of product x?
Friend #1: Yes.
Me: Don't buy their products! They use teh evil popups!

Scenario 2:
Me: Have you heard of product x?
Friend #2: No, what do they do?
Me: Hey look! A puppy!

Re:and the wet dream of any victim (4, Insightful)

aadvancedGIR (959466) | more than 6 years ago | (#20155387)

The real wet dream of any victim would be to be able to disable java or any scriting technology in his browser and still be able to surf on most respectable sites.
I don't want to be a ludite, but on 9 sites times out of 10 that require those technologies, there is very little benefit for the user.

Re:and the wet dream of any victim (0)

Anonymous Coward | more than 6 years ago | (#20155477)

"And the wet dream of any victim is to get their phone number, call them up, and inform them that they will never buy/use whatever it is they are selling, and will be telling 25 of their closest friends in person because of this practice."

[advertosser] So if I invent a ficticious product, advertise it with Java popups and 'accidentally' reveal my (premium rate) phone number, then you and 25 of your friends will ring me up and give me money? Cool! [/advertosser]

so how do i know (5, Funny)

circletimessquare (444983) | more than 6 years ago | (#20155069)

this is a real slashdot article, and not some clever cross site full screen javascript faux article out to steal my cookies, hmmm? if i hit submit i might-

oh shit

NoScript, but they don't work (4, Informative)

morgan_greywolf (835522) | more than 6 years ago | (#20155071)

In the meanwhile, NoScript [noscript.net] is your friend


As always, with script-related security flaws, the easiest solution is NoScript, of course.

However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.

Re:NoScript, but they don't work (1)

Holy69 (938902) | more than 6 years ago | (#20155175)

I tried it in the same environment and it worked. The big PWNED on my screen.

Re:NoScript, but they don't work (4, Informative)

Luscious868 (679143) | more than 6 years ago | (#20155345)

However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.

It worked on my XP system and covered everything but the Start Menu and Task Bar. Getting it to close was simply a matter of right clicking on Firefox in the Task Bar and closing it down. It's certainly an annoyance, but it's not as bad as the article makes it seem to be. Anybody with a brain (which admittedly excludes about 60% of the population) can figure out how to close Firefox and thus the Java App.

Re:NoScript, but they don't work (0)

Anonymous Coward | more than 6 years ago | (#20155449)

Cool, but you know it will also close also of the tabs in your browser?

Re:NoScript, but they don't work (3, Insightful)

kent_eh (543303) | more than 6 years ago | (#20155547)

Getting it to close was simply a matter of right clicking on Firefox in the Task Bar and closing it down. It's certainly an annoyance, but it's not as bad as the article makes it seem to be. Anybody with a brain (which admittedly excludes about 60% of the population) can figure out how to close Firefox and thus the Java App.

In my experience the vast majority of windows users don't right click on anything, unless they have been specifically instructed to.

And they certainly don't intuitively know that they can right click on task bar icons to do anything, let alone close the app.
For most regular users (no doubt the intended target of the sort of sleeze who would use this for advertising and other nefarious purposes)there is only one way to shut down an app, and that's the rex X in the top right corner.

Re:NoScript, but they don't work (4, Informative)

LiquidCoooled (634315) | more than 6 years ago | (#20155575)

Actually, it was a bit worse (for some reason on mine)

The start bar went behind the app, bringing up task manager and shutting down the app wasn't as easy as you would think because the java app eats focus and makes clicking the "End Process" and the Warning message difficult.

I managed it after a few mistypes and jabs at the button.

Its possible to close it, but it doesn't play nice at all.

Re:NoScript, but they don't work (4, Funny)

Professor_UNIX (867045) | more than 6 years ago | (#20155393)

This demo didn't work on my iPhone either. Just another reason to use the Superior JesusPhone over standard web technologies... no annoying Java, Flash, or third party apps to exploit!

Firefox (2, Informative)

CogDissident (951207) | more than 6 years ago | (#20155073)

I have the newest version of firefox (vanilla, no extensions, only a few custom settings to increase speed) and his demo completely didn't work on my computer...

Newest version of firefox sucks memory AGAIN (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20155407)

The newest version of firefox is back to sucking memory again.

Sigh, remember when firefox was supposed to be the non-bloated browser...

---
only extension is adblockplus

Firefox (and Proxomitron) (2, Informative)

Potor (658520) | more than 6 years ago | (#20155485)

yeah, is this a joke? i tried disabling everything i could think of while keeping java enabled - nothing.

btw, i am a dedicated proxomitron user (disabled for a moment to try the demo). never see any ads or pop-ups ...

DOOMED (1, Funny)

voraistos (1128439) | more than 6 years ago | (#20155075)

Now we all are doomed. And with the new Sun CPU, advertisers can display ads at an even higher frequency now.

Why? (2, Interesting)

techiemikey (1126169) | more than 6 years ago | (#20155079)

yes, but who would want their product to become associated with what would quickly become the most annoying ad basis ever invented?

Re:Why? (1)

Opportunist (166417) | more than 6 years ago | (#20155287)

And since there's no spam (because, well, your wonderful brand would be associated with spam if you used spam to advertise it), I guess you must be right.

Re:Why? (4, Interesting)

Anonymous Brave Guy (457657) | more than 6 years ago | (#20155377)

The problem with ads is that, apparently, the annoying ones are exactly the ones that work. People like you and me hate them, but we're never going to buy their **** anyway. Those irritating jingles that get played endlessly on TV ads irritate the **** out of us, but they attract the attention (and memory) of those gullible enough to buy the goods.

I'm not sure how much this is really backed up by evidence and how much is just "accepted wisdom" in the marketing community, though. There was a particular local firm advertising on the biggest local radio station in these parts a few years ago. They basically took traditional melodies from things like popular nursery rhymes, and rewrote the lyrics to mention their company name repeatedly and the product they were pitching. After a while, they even ran an ad that had the lyrics "We know the songs get on your nerves", which I remember all too well, perhaps making the point for them. That was, however, the last ad they ever ran on that radio station as far as I can tell. I'm not sure what happened to the company...

To bring this back to the current context, though, the theory seems entirely reasonable. Most of us will never support spammers or get caught by phishing, but those stupid enough to reply to bank password checks or ads for legal software downloads are probably also the ones stupid enough to click on the slightly odd-looking dialog warning about a virus attempting to install itself through your web browser. Sadly, given the tiny running costs, it only take a very small proportion of people to be idiots for the spammers/adware merchants to make an awful lot of money.

Re:Why? (0)

Anonymous Coward | more than 6 years ago | (#20155563)

Say the ad goes out to a million people. Maybe 99% will ignore it and 99% of the rest will have negative reactions, but the remaining 0.01% of the total will buy your product. So that's 100 purchases and 9,900 people who will never buy from you again. For Coca Cola that's a net loss of 9800 customers, but for Bob's V14GR@ Warehouse it's a net gain of 100.

Obvious solution? (1)

WegianWarrior (649800) | more than 6 years ago | (#20155083)

The obvious solution should be to turn of Java by default, and only turn it on for trusted sites.

Problem off course is that the avrage websurfer is unlikely to a) know how to do it, and b) know what sites to trust.

Re:Obvious solution? (1)

techiemikey (1126169) | more than 6 years ago | (#20155119)

well, they can always not trust the ones that take over their computers. It's usually pretty obvious when your screen turns into an ad.

Re:Obvious solution? (1)

gEvil (beta) (945888) | more than 6 years ago | (#20155213)

It's usually pretty obvious when your screen turns into an ad.

Yes. I've found that seeing "slashdot.org" in the address bar is usually a pretty good indicator... ; )

Re:Obvious solution? (4, Interesting)

Ed Avis (5917) | more than 6 years ago | (#20155249)

The whole point of Java was that it was super-sandboxed when running applets and you could enable it for all sites. To prevent phishing, any windows created by a Java applet would have to show 'Warning: Applet window' and a big red border or something like that. I wonder what went wrong to allow this attack, and whether it has been in Java since the beginning (i.e. would work even with Netscape 2.0) or takes advantage of some recently added kewl feature that forgot to do sandboxing properly.

Re:Obvious solution? (4, Informative)

badfish99 (826052) | more than 6 years ago | (#20155433)

From a quick look at the code, the bug seems to be that you can resize the popup to be bigger than the screen size. So the warning disappears off the bottom of the screen.

Re:Obvious solution? (1, Troll)

pla (258480) | more than 6 years ago | (#20155293)

Problem off course is that the avrage websurfer is unlikely to

Fortunately, I don't give two shakes of a rat's derriere about the average websurfer. In fact, I prefer that they see a deluge of ads, because:
1) It makes ads easier to block (advertisers only use blocker-circumvention methods when forced to);
2) As people complain, ads will evolve into less obnoxious forms (such as the entirely palateable Google text-ads);
3) Although I in no way feel guilty about "consuming" content voluntarily placed online for free, I won't claim ignorance that the "average websurfer" seeing all those ads helps fund many sites.



a) know how to do it

NoScript or QuickJava work just fine. With (as you suggest) the default as "off", of course. If people can't figure out how to click the "J" in a crossed-out circle, I have little sympathy.



b) know what sites to trust.

Oh, that one comes easy - "None of them". Unless I go to a page specifically for the purpose of running a java app hosted there, I simply don't turn it on. Ever. If a random page comes up with an unexpected complaint about my having Java disabled, I simply move on from that page, never giving it another thought.

move along, nothing to see here. (2, Informative)

jsldub (133194) | more than 6 years ago | (#20155093)

You can still use firefox to keep popups contained in tabbed browsing, and prevent window resizing. Not-news, move along.

Re:move along, nothing to see here. (2, Informative)

teknikl (539522) | more than 6 years ago | (#20155469)

right -- the pop-up worked for me but came up as a distinct tab on only one of my two monitors... fairly simple to spot and close.

winkey and ctrl alt del seemed to work fine (2, Interesting)

postermmxvicom (1130737) | more than 6 years ago | (#20155095)

So...did I miss something? But winkey and ctrl alt delete did fine for me. Still, I *am* impressed...it just seemed to be billed as more than it was. Or is the joke on me for clicking the link in the first place? ::runs away to sign up for lifelock::

Re:winkey and ctrl alt del seemed to work fine (1)

Opportunist (166417) | more than 6 years ago | (#20155421)

You, me and everyone with at least half an idea how to operate a GUI will have no problem with this. The problem is as usual the user with just enough knowledge to start Windows and open a browser. For many, the second activity better be part of the autostart routine.

Those people don't even know what to do should they accidently hit the "kiosk mode" button for their browser (aka "fullscreen mode"). They don't know about alt-f4 and other ways to close their windows except for that little "x" sitting in the top right corner. And don't you dare to give them anything but maximized windows, or they'll close everything behind and cry to you that their browser doesn't close.

Silly article (2, Informative)

Glock27 (446276) | more than 6 years ago | (#20155097)

Under MacOS, the dock and top bar are still visible, and it's trivial to kill the browser.

There's virtually no chance anyone would be fooled into doing anything but killing their browser, and Java is by no means alone in causing that kind of issue.

Nothing to see here, move along...

Re:Silly article (1)

Anonymous Coward | more than 6 years ago | (#20155197)

weird.

under os x, it didn't work in safari for me, and firefox just displayed the page just as it had been shown in safari, sans the "this won't work in your browser" message.

no full screen, no nothing.

tempted to try it in my virtual windows environment just to see *something*.

Re:Silly article (1, Informative)

Anonymous Coward | more than 6 years ago | (#20155295)

And in fact, it was unable to set itself on top; this came out in the console.log:

java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
        at java.security.AccessControlContext.checkPermission (AccessControlContext.java:264)
        at java.security.AccessController.checkPermission(Acc essController.java:427)
        at java.lang.SecurityManager.checkPermission(Security Manager.java:532)
        at java.awt.Window.setAlwaysOnTop(Window.java:1358)
        at FullScreen.start(FullScreen.java:30)
        at sun.applet.AppletPanel.run(AppletPanel.java:418)
        at java.lang.Thread.run(Thread.java:613)

Death threats anyway? (0)

Anonymous Coward | more than 6 years ago | (#20155597)

Sure it doesn't do much under MacOS, but maybe we should alert the fanbois anyway?

Or get some Linux or Windows fanbois to masquerade as Mac fanbois and have them issue the threats?

(It's humor, not trolling.)

Hence why I don't use java (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#20155101)

or even have a browser plugin for it. It really is very bad language to use online, though thankfully it seems to have gone out of fashion - replaced for most "interactive" sites by flash.

Re:Hence why I don't use java (2, Insightful)

Glock27 (446276) | more than 6 years ago | (#20155133)

It really is very bad language to use online,

Why is that? What is "worse" about it than Ecmascript?

For extra credit, explain why Java Web Start is worse than downloading a traditional application and installing it...

Lemmings...gotta love 'em.

Re:Hence why I don't use java (1)

SQLGuru (980662) | more than 6 years ago | (#20155323)

I'll venture this one.....

JavaScript is natively supported in the browser. Java requires an additional piece of software. Browsing the web in a secure mode should rely on the fewest number of software elements in order to minimize the opportunities for exploits. I'm not saying that only having one program running will prevent problems, but, as long as you keep that program patched appropriately, you should be safer than running two.

Layne

An interesting markettign technique... (2, Insightful)

solevita (967690) | more than 6 years ago | (#20155111)

No, I'm not talking about advertising via popups, I'm talking about Giorgio Maone's method of pushing NoScript. Whatever next? McAfee will release a super virus that only their product will stop? Or Microsoft start releasing IE exploits and paid-for patches?

I already use NoScript, but this sort of behaviour doesn't enamour me to the lead author.

Re:An interesting markettign technique... (1)

Kymri (1093149) | more than 6 years ago | (#20155443)

If he could figure this out, so could someone else.

It follows that someone who has an interest in potential exploits and (one presumes) protecting users-at-large from them (like, say, the author of a tool like NoScript) would be likely to discover such a thing.

It also seems to me that, having figured it out, it would make sense to make people aware of it.

Once he makes them aware of it, making them aware of possible countermeasures also makes sense - in this case, NoScript.

That's a far, far cry from McAfee releasing a virus that only their product can stop (which wouldn't be possible anyway, let's be honest - someone else would find a way to stop it in short order, just to 'stick it to the man'). As far as IE exploits and for-pay patches, I wouldn't be surprised if a subscription model for licensing doesn't come along from MS one of these days, where only active subscribers can get patches...

But neither of those is the same thing as what's going on here (in my own, personal opinion, of course).

Re:An interesting markettign technique... (5, Insightful)

Anonymous Brave Guy (457657) | more than 6 years ago | (#20155495)

If he were selling his software commercially, or people were being directed from the Slashdot front page to a page full of ads, then you might have a point, but that's not the case here. The guy has made an obviously useful tool, gives it away for free, and is warning about an obviously relevant threat. The most he's likely to get out of this is a few small donations or a few more page hits on his site, perhaps making enough to cover the server costs for hosting a popular Firefox extension for a while and a bit of beer money. I think your post is way over the top.

So how about how to stop this? (5, Interesting)

RaigetheFury (1000827) | more than 6 years ago | (#20155125)

I'd really like to see counter methods posted as (special) comments under articles like these. "Links to: How to prevent this". It would be really nice if we could use our mod points to "mark" a comment as a solution that an administrator could then move it to the top. Why the administrator involvement? Simple, to prevent the teams of people who go around and exploit this type of function on Yahoo. This would still allow Slashdot to work off the same random moderator point system it has while keeping some semblance of order. They could play around with how many mod points a comment needs before it can before an admin is notified.

Just a thought.

Old tech (0)

Anonymous Coward | more than 6 years ago | (#20155129)

I really dont like having java installed in my browser as it is.

this is nothing new. there was a GNAA last measure mirror a while back (as in a year ago) that was like this.

I had to kill X to stop it somewhat, then I had to drop into a shell and kill the process. and this was on linux.

Just now it's being made public.

Can't even switch Workspaces (2, Interesting)

BobPaul (710574) | more than 6 years ago | (#20155141)

FF on Ubuntu 7.04 using Sun's Java (1.5 I believe). The Java one works wonderfully(?) not only filling my full dual monitor setup, but preventing me from clearing it using any method I tried, including hitting the hotkey to change Gnome workspaces. The only thing that did work was switching to a virtual console at which point I could kill firefox-bin.

Dont worry, I'll turn off the lights on my way out (2, Funny)

smallstepforman (121366) | more than 6 years ago | (#20155143)

No need to worry folks, us handful of BeOS users will switch off the lights and the internet on our way out, since we'll be the last ones to leave. Every now and then I'm actually relieved to be running a non mainstream OS.

Re:Dont worry, I'll turn off the lights on my way (0)

Anonymous Coward | more than 6 years ago | (#20155357)

us handful of BeOS users
What, both of you?

Re:Dont worry, I'll turn off the lights on my way (0)

Anonymous Coward | more than 6 years ago | (#20155373)

While we are at it, maybe improve it as well.

Re:Dont worry, I'll turn off the lights on my way (1)

mwvdlee (775178) | more than 6 years ago | (#20155489)

When that time comes, will you BeOS guys be joining the rest of the world on internet2?

Frontier justice on the fringes of the web (2)

Philotechnia (1131943) | more than 6 years ago | (#20155157)

If marketing clowns are allowed to do this to my PC, or more to the point, the PCs of people who DON'T know what to do to secure their PCs, I think DoS attacks on individuals or companies that engage in this behavior should be perfectly legal. It amounts to the same thing, really. You interrupt my ability to conduct my business, and I will return the favor...

Remind me: Why do we have applets again? (4, Interesting)

Toreo asesino (951231) | more than 6 years ago | (#20155165)

Seriously, name me one "house-hold" name website that uses Java applets anyway. Can't we just have it switched off by default? I like Java as a broad technology, but I'm finding applets increasingly irrelevant - interactive rich sites are being taken over by flash, ajax, and the probably-to-be-mainstream-soon Silverlight/Moonlight.

This isn't a flame....Java on the desktop is awesome and I love it.

*runs to the hills*

Re:Remind me: Why do we have applets again? (0)

Anonymous Coward | more than 6 years ago | (#20155315)

I would agree with you. I'm a Java developer, and I can't really envision a situation in which I'd want to use an applet. The last time I had to write one for work was in 1999, and the experience really sucked -- it was AWT (shudder).

I love Java for server-side and desktop programming though. :)

Re:Remind me: Why do we have applets again? (2, Interesting)

Megane (129182) | more than 6 years ago | (#20155333)

You've got a good point. I'm going to turn off Java in my Mozilla and see what the result is. I can't remember the last time I saw java-man showing that the plug-in was being loaded, and I blame Flash. Flash is faster to load the plug-in, and it supports lots of graphical and multi-media stuff inherently, not as an add-on library.

Re:Remind me: Why do we have applets again? (4, Informative)

SQLGuru (980662) | more than 6 years ago | (#20155361)

1. Yahoo.com

Done.

Yahoo uses Java for many of their online games. You might not play them, but a lot of people do. And that "lot of people" will probably leave Java enabled and be victim to this crap.

Layne

bad site, sit! (0)

Anonymous Coward | more than 6 years ago | (#20155201)

well he certainly is adept in writing what must be the slowest rendering page on this side of the solar system. dear god, try to scroll...

Redux (1, Interesting)

mritunjai (518932) | more than 6 years ago | (#20155207)

1. The bug was filed on 19 JUL (less than 10 days back) and henceforth made public when no "visible" action was seen from Sun, in the interim Sun asked to keep the issue confidential, but it was made public anyways.

I find it hard to justify as I don't know a fix can be done and TESTED on all configurations (especially as wide as Java), in 10 days. Heck, full inhouse teams take *months* to roll out tested windows updates. I won't classify it as responsible disclosure.

2. The functionality is achievable by Javascript through LiveConnect present in Opera and Gecko based (Mozilla) browsers.

Great find, yep. But terribly executed and extremely irresponsible just to gain brownie points for NoScript!

*Shrug* (0)

Anonymous Coward | more than 6 years ago | (#20155221)

"Click here to download plugin"

No sympathy with people who installed the Java-crap.

Interesting (1)

squoozer (730327) | more than 6 years ago | (#20155239)

I'm surprised no one has thought of doing this before. What I am curious about though is why the applet doesn't have a border - I suspect it is because it has gone full screen. If that is the case a really easy fix would be to simply ban applets from going full screen unless they are signed.

Re:Interesting (1)

Kazymyr (190114) | more than 6 years ago | (#20155389)

How about not allowing applets to go full screen period. I see no good reason for them to.

Re:Interesting (1)

harmonica (29841) | more than 6 years ago | (#20155467)

Full screen and not having a border are two things in Java. The latter can be done by a call to setUndecorated(true).

Obviously, your fix would work for that as well: disallow unsigned applets that particular method. But it'll take a lot of time until all those JREs are replaced.

Xorg and "xkill", nuff said. (1)

strredwolf (532) | more than 6 years ago | (#20155251)

Java X11 app taking over? SSH into your box (unless you got another screen) and then DISPLAY=:0.0 xkill. Then it's just point, and shoot.

*BLAM!*

Extra points to whoever makes an xkill clone that has configurable sound when you shoot the app, from Luger 9mm, Colt .45, AK-47, a machine gun, Stroll Munitions BH-209i plasma cannon, nuclear bomb, or the all-time commercial favorite... "What's that?" "Oh oh.... RAAAAAAAAAIIIIDDDD!!!" *BOOOOOOOOOOOOOOOOOOOOOOOOOM!*

Re:Xorg and "xkill", nuff said. (1)

Professor_UNIX (867045) | more than 6 years ago | (#20155523)

Or you could just use Noscript or disable Java... but hey, I'm totally for using totally inconvenient solutions to problems if you can have cool sound effects.

It is closable (1)

ruewan (952328) | more than 6 years ago | (#20155271)

I tried it. It opened a window with no location bar or close buttons, but I could easily right click on the the task bar and click close window. I don't see what the big deal is.

Re:It is closable (0)

Anonymous Coward | more than 6 years ago | (#20155577)

The problem isn't so much that the window is "uncloseable" (although for less technical users it effectively may be), but that the applet could draw a fake firefox / IE window based on your user agent and phish passwords etc. This is a fair bit of work to do well but it can be done, I saw a PoC ages ago using some sort of XUL trick that made a fake firefox with working menus, SSL connection properties etc.

This will lead to (3, Funny)

alexj33 (968322) | more than 6 years ago | (#20155313)

This Java discovery will lead to the following:

1. Java Popups 1.0

2. Java Popups on Struts

3. Java Popups 1.1. (Not compatible with 1.0 or struts, needs a patch to SunOS to work)

4. JPEE. (Java Popups, Enterprise Edition- Not compatible with 1.1)

5. Java Popups for Mobile Devices.

6. Java Popups for Mobile Devices, Enterprise Edition.

HA, and you thought that Java was going to make this easy for Phishers and Advertizers.

Of course, the obligatory workaround... (1)

glindsey (73730) | more than 6 years ago | (#20155331)

If you're too lazy to install NoScript:

Tools -> Options -> Content -> Uncheck "Enable Java"

Honestly, unless you have a legitimate reason to run Java applets, I don't see why to keep it enabled. I have found very few legitimate Java applets during the course of my normal browsing; most of them are something like "rippling water effect" or "annoying site counter".

Looks to me (1)

JamesRose (1062530) | more than 6 years ago | (#20155349)

Like this guy found a way to make popups in Javascript, and rather than acting responsibly and disclosing it sun and waiting for them to fix it, instead he just came out with it to try and convince people to use no script. It's like those virii that advertise anti-virus programs. I used to use no script but now I've uninstalled it, I am not going to use a program that is made by a guy creating security problems in order to force people into using his software.

How about open java? (1)

Bert64 (520050) | more than 6 years ago | (#20155353)

Now that java is released under the GPL, how long before someone releases a java plugin to block popups such as these?

I can in fact stop it because.... (1)

AxXium (964226) | more than 6 years ago | (#20155359)

I can in fact stop it because I have dual monitors. The hack only goes into full screen mode on one of the monitors which makes it quite easy to shutdown the browser from the other screen. Also, GNU/Linux users can switch between virtual desktops via keyboard and or can kill X. It's the poor Windows users with only one monitor that will feel the most pain. ;)

AxXium

Re:I can in fact stop it because.... (1)

JoeCommodore (567479) | more than 6 years ago | (#20155553)

I tried switching the virtual X desktops, didn't work (as in the popup still popped up). Though you could go to a command line and kill the process...

This, of course, assume you allow Java (2, Insightful)

wowbagger (69688) | more than 6 years ago | (#20155369)

This, of course, assumes that you allow Java to run without asking first.

If you, like me, don't allow Java or any other plug-in to run without the browser first asking you if it is OK to run, and if you don't allow plug-ins to run without having a VERY CLEAR idea of where they are coming from and what they will do, and do not run any such plug-in save from a VERY trusted source, then this will be very hard for an advertiser to exploit.

All the more reason why ALL plug-ins should be "user interaction required before use" BY DEFAULT.

I get it but... (1)

fishdan (569872) | more than 6 years ago | (#20155391)

It would have been nice if the demo applet had a timer and then minimized. We'd all still get it, and I wouldn't have to ssh into my box from my phone to kill Firefox.

Clearly Sun will have to act on this very quickly.

Limiting unsigned applets to 600x480 seems like a good first step. The problem of course is does Frame know for sure that it's distant ancestor is an applet? In theory that's the idea behind the sandbox -- but clearly the sand has escaped and needs vacuuming.

Also -- I'm disappointed in /. readers. How have there not been any Lynx comments yet?

Not so tough... (1)

FauxPasIII (75900) | more than 6 years ago | (#20155483)

Using Windowmaker desktop, FF 2.0.0.6 and the gcjwebplugin it does indeed pop up full screen, but I can alt-drag it away (like any other window) and then xkill it. Irritating but not invincible.

You Can Stop It (1)

Dak RIT (556128) | more than 6 years ago | (#20155497)

I don't know about any versions of Linux or Windows as I haven't tested it on those yet, although I was definitely able to close it on a Mac using Safari (the site says it was tested for Safari as well).

When the java applet comes up fullscreen, it doesn't actually cover the menu bar on a Mac. To close the applet simply select the window that spawned the applet and go up to the File menu and select Close Window (or hit Cmd-W).

It also only effects your control over the specific browser (I'd imagine that's the same for Linux and Windows as well), as I could still cmd-tab between applications or use Expose.

That said, it's still bloody annoying.

Wet dreams (1)

Tsagadai (922574) | more than 6 years ago | (#20155505)

The wet dream of any slashdot poster is mentioning wet dreams more than twice in a single post. Why I could wet daydream all day about the wet dreams my mum would clean when I post a story like this.

Another way out of it... (1)

dreemernj (859414) | more than 6 years ago | (#20155537)

It certainly is an annoying trick. But, at least on the WinXP comps I tried, when I alt-tab between programs I can see the browser for a moment and then the Java popup covers it again. So I moved my mouse over the X for the browser and did alt-tab, click and closed the browser with no trouble.

Overall, definately a great way to ruins someone's day though. Personally I keep pretty much everything turned off. I have a button in Opera to enable/disable various things like Java and Adobe. And NoScript is a great extension for FireFox. But there are still a lot of people out there that are going to get really screwed up by this finding.

huh? (1)

teknopurge (199509) | more than 6 years ago | (#20155549)

How is this different from any of the sites I've been to where a new IE window pops-up in the background with no menu-bar or buttons that takes up the entire screen? This is not a Java issue, this is an OS windowing issue.

One of the silliest articles on Slashdot in a while...

Obligatory Linux Elitism (4, Funny)

ticklejw (453382) | more than 6 years ago | (#20155551)

"Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop and cannot be closed by user"

Thing #397 That You Can Do In Linux But Can't In Other Popular Desktop OS's:

1. Ctrl+Atl+F1
2. Log In
3. missile-launch -f --target-from-process java
4. killall java
4a. killall firefox-bin (if necessary)

Actually this story is strangely coincidental; just a few minutes ago, I was trying to show a coworker a cool graphical demo of different sorting algorithm efficiencies, but I didn't have the Java plugin installed. Still don't.

Doesn't work in Opera (1)

Joebert (946227) | more than 6 years ago | (#20155561)

It doesn't work when I visit it with Opera 9.

Oh wait, that's right, I disbled plugins years ago when I read about somthing just like this.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...