Hello All
With regard to the recent Koobface Virus and corresonding Oracle Java vulnerability. Is the open source IcedTea Java equally as vulnerable? And does NoScript protect equally well with either?
Thank you
Scott
Koobface Virus, IcedTea Java, and NoScript
Koobface Virus, IcedTea Java, and NoScript
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Linux Mint/9 (Isadora) Firefox/3.6.12
-
Alan Baxter
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Koobface Virus, IcedTea Java, and NoScript
There is no "corresponding Oracle Java vulnerability". The new Koobface requires the user to explicitly Allow a self-signed Java applet to execute with full permissions on the computer. I doubt even IcedTea Java can protect a user if they're willing to click through a warning like "This download from the Internet has the potential to harm or completely take over your computer. Do you still want to run it?"
From The Register:
Lame, but still worth watching
From The Register:
Lame, but still worth watching
Even NoScript can't prevent a user from replying "Yes, do whatever you want to my computer so I can see the Dancing Bunnies". NoScript will help protect a user if the applet is offered by way of JavaScript or if NoScript Options > Embeddings > Apply these restrictions to whitelisted sites too is checked -- as long as the user doesn't Allow everything or click through the Java placeholder.For that to happen, attackers will probably have to figure out how to bypass a window OS X prominently displays warning that a self-signed Java applet is requesting access to the computer. Assuming they do, or are able to trick users into clicking “Allow” anyway, they will also need to resolve issues preventing the downloaded files from installing.
Those are high hurdles. But Koobface's considerable success on Windows shows just how gullible many marks are when it comes to scams promising free videos.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Koobface Virus, IcedTea Java, and NoScript
Tiny correction: this is likely to work anyway, in default configuration (with no need to extra embedding restrictions) because the Java class files containing the attack are almost surely served from a non-whitelisted website, even if the applet might be embedded in a "trusted" page via SQL injection.Alan Baxter wrote: NoScript will help protect a user if the applet is offered by way of JavaScript or if NoScript Options > Embeddings > Apply these restrictions to whitelisted sites too is checked -- as long as the user doesn't Allow everything or click through the Java placeholder.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
-
Alan Baxter
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Koobface Virus, IcedTea Java, and NoScript
Exactly. As long as you don't Allow the world, NoScript's default settings will help protect you.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12