For those of you who have never seen a warning message like the one above, this is the default dialog box you get from the Java Runtime when you run cryptographically signed applets. Signed applets are different when compared to the unsigned ones. Basically they defer in terms of their security sandbox and level of privilege. Signed applets can do anything that your desktop applications can do, although they run from the browser.
The one million dollar question is: How is that secure? and Should SUN rethink the security of their platform? We know that unaware users will approve anything just to get their game running. This type of attack is by far the simplest to perform and does not relay on any particular kind of vulnerability. The Java Runtime is the only embeddable object which gives such a degree of access from simple Web pages. Flash, Adobe, and even Signed JavaScript (disabled by default) wont allow you to do all of these, mainly because it is highly insecure!
I know that a lot of angry Java developers and many military grade
(what’s that?) exploit hunters may object but let’s be honest here for a moment. Most of the hacks occur due to simple human mistakes. In the case of the Java Runtime, there is 50% chance to make the wrong choice. I think that malware authors like this figure a lot, especially when no vulnerability is required to perform the hack. Not to mention that the information displayed inside the security warning box can be easily forged in such a way that the attackers can increase the their chances by making the user believe they are doing the right thing.
Over the years, I’ve been using this type of attack in a number of scenarios and I am sorry to say but it works so well that it almost feels surreal. The following ant script is a tool that I wrote long time ago to compile and sign Applets and JAR files in a few simple steps. I use it every time I can, just to prove that having Java enabled on workstation part of a large enterprise is kind of a bad idea.
-----------------------------------------
The human element is the weakest link in the security chainmail.
You can patch Quicktime and you can patch Firefox...but you can't patch human stupidity.
The word, stupidity, may sound harsh but ultimately it is just human nature and it bites us all sooner or later.
Education is the key to fighting these types of human "vulnerabilities".
Sorry, Todd -- the user education bus has already left the station. :-)
ReplyDeleteIn other words, we (The Internet Community at-large) have trained users to be insecure. How? By forcing them to allow dangerous practices (e.g. JavaScript) in order to enjoy "feature-rich" content.
Completely self-defeating.
- ferg
Very true, but user education can still work in smaller subsets of the general population, like in a corporate re-education security talks..lol
ReplyDeleteI man can wish, can he not? lol