Page 1 of 2

Java 0-day exploit question

Posted: Tue Aug 28, 2012 5:56 pm
by HamptonHawes01
Disable Java NOW, users told, as 0-day exploit hits web • The Register

=====

Does Noscript have a Java only whitelist?

I have to use Java at a few chess sites (less than 5) and that's all I need it for. I don't want (or need) it running on other sites.

I have this setting: Options > Embeddings > [check marked] Forbid Java

If I understand the situation correctly...

Noscript protects me if I'm visiting a site for the first time. But I went to example.com before and I clicked "Allow example.com". So if I go there right now - I think that means the site can run Java and I don't want that.

Re: Java 0-day exploit question

Posted: Tue Aug 28, 2012 6:24 pm
by therube
NoScript by default blocks Java on non-allowed sites.
You can set it to block Java on all sites by enabling Options | Embeddings, Apply these restrictions to whitelisted sties too.

Re: Java 0-day exploit question

Posted: Wed Aug 29, 2012 11:04 am
by Tom T.
therube wrote:NoScript by default blocks Java on non-allowed sites.
You can set it to block Java on all sites by enabling Options | Embeddings, Apply these restrictions to whitelisted sties too.
Then, if you thoroughly trust the chess site, open NS menu, point to "Blocked objects", and click "Temporarily allow Java-VM (or similar) from SiteX.com".
Confirm if prompted.
When done with the site, either click "Revoke temp permissions", or just close and restart the browser.

I use Java at only one very trusted site, and have operated in this manner for years, long before this exploit and many others.

Re: Java 0-day exploit question

Posted: Wed Aug 29, 2012 4:12 pm
by tlu
Another method: uncheck "Forbid Java" in Noscript Options -> Embeddings tab and add the following rule in Options -> Advanced -> ABE -> User:

Site java-vm@*.*
Deny

This blocks java on any site. If you want to define an exception for sites like, e.g., abc.org or xyz.com, this rule should look like this:

Site java-vm@*.*
Accept from .abc.org .xyz.com
Deny

Details regarding ABE can be found on http://noscript.net/abe/

Re: Java 0-day exploit question

Posted: Wed Aug 29, 2012 7:38 pm
by HamptonHawes01
tlu wrote:Another method: uncheck "Forbid Java" in Noscript Options -> Embeddings tab and add the following rule in Options -> Advanced -> ABE -> User:

Site java-vm@*.*
Deny

This blocks java on any site. If you want to define an exception for sites like, e.g., abc.org or xyz.com, this rule should look like this:

Site java-vm@*.*
Accept from .abc.org .xyz.com
Deny

Details regarding ABE can be found on http://noscript.net/abe/
I don't understand. I can't get it to work.

= [unchecked] "Forbid Java" in Noscript Options -> Embeddings tab
It's now unchecked.

= [checked] Apply these restrictions to whitelisted sites too.
This is checked. Does this matter?

Code: Select all

Site java-vm@*.*
Deny
I put it in SYSTEM. And now the code appears in SYSTEM and in USER.

[checked] Enable ABE

[unchecked] Allow sites to push their own rulesets

[checked] WAN IP

=====

I clicked "OK" and went to this "test page" at chessgames.com

Paul Morphy vs Duke Karl / Count Isouard (1858) "A Night at the Opera"

The Java interface for the chess board still loaded.

I restarted Firefox and went back to the page and the Java interface for the chess board still loaded.

Re: Java 0-day exploit question

Posted: Thu Aug 30, 2012 10:45 am
by tlu
HamptonHawes01 wrote:
= [checked] Apply these restrictions to whitelisted sites too.
This is checked. Does this matter?
No, that shouldn't matter in this case.

I clicked "OK" and went to this "test page" at chessgames.com

Paul Morphy vs Duke Karl / Count Isouard (1858) "A Night at the Opera"

The Java interface for the chess board still loaded.

I restarted Firefox and went back to the page and the Java interface for the chess board still loaded.
I'm not familiar with that site and didn't try it. However, you can test if Java works for you, e.g., on

http://javatester.org/version.html

and

http://java.com/en/download/installed.jsp

It didn't work for me on both sites with the settings I told you.

Re: Java 0-day exploit question

Posted: Thu Aug 30, 2012 1:06 pm
by Giorgio Maone
tlu wrote: Site java-vm@*.*
Deny
Sorry, there's a misunderstanding here.
Syntax like "java-vm@*" or, more in general, "some-mime-type@some-url" cannot work in ABE (even though is used in NoScript's Blocked Objects menu) because at the time ABE runs (before hitting the network) the mime type of the loaded resource is unkown.
Therefore ABE cannot help blocking just one type of file, even though you can use to block *any kind* of plugin embedding (i.e. Java AND Flash AND Silverlight...) except on sites a.com, b.com and c.com with a rule like:

Code: Select all

Site *
Accept from .a.com .b.com .c.com
Deny INCLUDE(OBJ)

Re: Java 0-day exploit question

Posted: Thu Aug 30, 2012 1:22 pm
by tlu
Giorgio Maone wrote:
tlu wrote: Site java-vm@*.*
Deny
Sorry, there's a misunderstanding here.
Syntax like "java-vm@*" or, more in general, "some-mime-type@some-url" cannot work in ABE (even though is used in NoScript's Blocked Objects menu) because at the time ABE runs (before hitting the network) the mime type of the loaded resource is unkown.
Therefore ABE cannot help blocking just one type of file, even though you can use to block *any kind* of plugin embedding (i.e. Java AND Flash AND Silverlight...) except on sites a.com, b.com and c.com with a rule like:
Giorgio, now I'm confused. I tested that rule, and Java was successfully blocked on several test-sites. However, flash still works on, e.g., youtube and other sites which shouldn't be the case according to what you said ... :? Or am I misunderstanding something?

Re: Java 0-day exploit question

Posted: Thu Aug 30, 2012 1:27 pm
by tlu
Giorgio,

btw - I am not the only one for which this rules work. Look what Tom once wrote here.

Re: Java 0-day exploit question

Posted: Thu Aug 30, 2012 3:17 pm
by HamptonHawes01
I am now 100% confused.
tlu
I tried the javatester.org page - it worked.

chessgames.com fails. Java loads.

=====

My original question was "Does Noscript have a Java only whitelist?" Okay, so the answer is "No."

Here's my new question - "Is is possible to create a defacto-whitelist for each plug-in?"

If it's possible...
  • I'd like an example that blocks all Java.
  • I'd like an example that allows Java to only work on chessgames.com
  • I'd like an example that blocks all Silverlight.
  • I'd like an example that allows Silverlight to only work on microsoft.com (or even better only research.microsoft.com). Project Tuva is a huge number of lectures by Richard Feynman that requires Silverlight is work. Because of Feynman - I'm willing to allow to that bloated piece of proprietary nonsense with possible security holes to run. Otherwise - I don't want it functioning anywhere.
=====

If it's defacto-whitelist aren't possible - I have a feature request. Please make them possible.

I see zero benefit in allowing things like Java and Silverlight to run on all the sites in my whitelist. I don't trust them. I don't like them. If you don't like your brother-in-law - you might still be okay (more or less) with having him over for the holidays. But you sure don't let him start to live on your couch.

Re: Java 0-day exploit question

Posted: Thu Aug 30, 2012 9:15 pm
by Giorgio Maone
@tlu: I've got no idea of why your mime-type@site.com rules appear to work.
They shouldn't.
Did you check whether disabling them changes anything?
HamptonHawes01 wrote: Here's my new question - "Is is possible to create a defacto-whitelist for each plug-in?"
Yes it is, but it's not point-and-click easy.
You need to check NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well, then use the noscript.allowedMimeRegExp about:config preference to specify your whitelist.
HamptonHawes01 wrote:
  • I'd like an example that blocks all Java.
  • I'd like an example that allows Java to only work on chessgames.com
  • I'd like an example that blocks all Silverlight.
  • I'd like an example that allows Silverlight to only work on microsoft.com (or even better only research.microsoft.com).
  1. NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well must be checked, like Forbid Java and Forbid Silverlight on the same panel.
  2. the noscript.allowedMimeRegExp about:config preference must contain the following entries:

    Code: Select all

    application/x-java\b[\w-]*@https?://chessgames.com/.* application/x-silverlight@https?://research\.microsoft\.com/.*

Re: Java 0-day exploit question

Posted: Thu Aug 30, 2012 10:26 pm
by HamptonHawes01
Giorgio Maone wrote:You need to check NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well, then use the noscript.allowedMimeRegExp about:config preference to specify your whitelist.
HamptonHawes01 wrote:
  • I'd like an example that blocks all Java.
  • I'd like an example that allows Java to only work on chessgames.com
  • I'd like an example that blocks all Silverlight.
  • I'd like an example that allows Silverlight to only work on microsoft.com (or even better only research.microsoft.com).
  1. NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well must be checked, like Forbid Java and Forbid Silverlight on the same panel.
  2. the noscript.allowedMimeRegExp about:config preference must contain the following entries:

    Code: Select all

    application/x-java\b[\w-]*@https?://chessgames.com/.* application/x-silverlight@https?://research\.microsoft\.com/.*
A few quick questions before I hunker down to figure everything out...
  • In the about:config preference I can only use spaces to separate one "chuck" of code from another, right?
  • What do I use as a separator between URLs? In other words - can I use a semi-colon like this?

    Code: Select all

    application/x-java\b[\w-]*@https?://chessgames.com/.*;https?://example.com/.* application/x-silverlight@https?://research\.microsoft\.com/.*;https?://example.com/.*
  • I forgot my third question. Oh, well - I'll be asking more questions later.

Re: Java 0-day exploit question

Posted: Thu Aug 30, 2012 10:38 pm
by Giorgio Maone
HamptonHawes01 wrote: In the about:config preference I can only use spaces to separate one "chuck" of code from another, right?
Right
HamptonHawes01 wrote: What do I use as a separator between URLs?
They're not URLs, but regular expressions which are matched against the
mime-type@full-url
string at load time.

Therefore, to accomplish what you seem to be wanting to accomplish, you need to assemble your URL patterns using parenthized groups and the vertical pipe ("|") as the separator, like this:

Code: Select all

application/x-java\b[\w-]*@https?://(?:chessgames\.com|example\.com)/.* application/x-silverlight@https?://(?:research\.microsoft\.com|example\.com)/.*
As I said, not "point-and-click easy", but easy enough if you know regular expressions.

Re: Java 0-day exploit question

Posted: Fri Aug 31, 2012 3:34 pm
by tlu
Giorgio Maone wrote:@tlu: I've got no idea of why your mime-type@site.com rules appear to work.
They shouldn't.
Okay, I repeated my tests and found the following:

1. On http://java.com/en/download/installed.jsp?detect=jre the rule seems to work: The code that tried to detect my java version didn't come to an end. (However, this might be influenced by the fact that I don't use Oracle Java but Icedtea.)
2. http://javatester.org/version.html recognized my version as 1.6.0_24 from Sun Microsystems.

On some other sites I tested java also worked. In my earlier tests I might have forgotten to allow plugins via click-to-play. :evil: (However, on some sites the CTP symbol was not displayed in FF as it should - this might have contributed to my error.)

I stand corrected. :oops:

Re: Java 0-day exploit question

Posted: Fri Aug 31, 2012 3:39 pm
by therube
(
Even though Adobe has released patches for this 0-day, there appears to be a spin on the (or another) vulnerability such that your are still vulnerable even with the latest patch installed.

Additionally: [Java Not Blocked in 17].
)