Interesting, but
I never realised things were so confusing and complicated, so this was very interesting. However I have to point out the writer has a real bee in their bonnet about Java, and that rant is rather bizarre.
In part one of this series, I explored the privacy threats presented by targeted advertising, and asked why we should care. Browser referral, social media buttons and cookies were examined as examples of basic methods used to track our movements across the internet. I also explored why advertisers track us, and examined …
The problem with Java according to the evidence presented seems to be poor auto-updating and a large install base of old versions so that old and vunerable versions of java are frequently available for exploit.
This is a real problem for the internet as a whole but not an indication that up-to-date versions are inherently less secure than up-to-date versions of other plug-ins.
I've developed Java Applets, and Java Web Start apps, and I thought they did run in a sandbox, and could only do something dangerous if it was signed with a certificate backed by a trusted CA (ok, ok, recent events makes this somewhat less than meaningful) and the user accepts the certificate when prompted.
And what to do when https certificates for your company's webmail, and even some sun/oracle sites throw up warnings. You get so used to saying yes because you know the site is ok, that one day you'll be caught out by another site...
Agree about the anti-java rant. It would have been more meaningful if it had been backed up by examples.
I assume he is in the pay of a competitor, probably Microsoft rather than Apple - even though Silverlight is briefly mentioned as another stanchion of the evercookie, and I didn't notice Android coming into it.
(Android stinks of Java, you know! And it killed Steve Jobs! But, if you're Microsoft, that part's good!)
A fully up-to-date Java probably isn't a much bigger threat than an up to date flash. But the problem is that java is often not updated! It is usually less up-to-date than flash, in many cases due to compatibility with critical applications.
During 2010, java exploits skyrocketed. Many researchers claimed they had in fact surpassed flash's astounding list of vulnerabilities. Sandboxed (in theory) or not, Java has become THE way to use an exploit to drop malware on a windows PC.
If there is enough interest, I'd be happy to write a quick summary article talking about the research. Suffice it to say that no, I'm not a paid shill for anyone here - why would Microsoft, aspiring cloudmongler of extraordinaire – hire a sysadmin? They are busy spending billions trying to ensure my kind are completely unnecessary!
I am willing to bet that Silverlight, Flash and Java have a roughly equal number of bugs with roughly equal severity per line of code. The issues that lead to their risk level are a combination of distribution and patching.
As discussed above, Java is the one that is least updated amongst the bunch, and who really cares about malware on the PCs of both Silverlight users? As near as I can tell, Silverlight is used for Microsoft properties, small handful of other websites to display video and storing evercookies.
So no, I’m not promoting or demoting one technology over another here. I am saying that allowing Flash/Java/Silverlight (or anything remotely similar) to simply launch on any website they feel like launching is bad. Not only is it a privacy issue, but it is a security hole by which fun things can take over your PC.
Use a plug-in to force them to ask for each and every website whether or not they have permission to execute.
If you don’t believe me about Java, then there is a safe, simple experiment you can run. Set the Java console to enabled at startup. (http://download.oracle.com/javase/1.5.0/docs/guide/deployment/deployment-guide/console.html) Every time Java is launched from a webpage, a popup will appear that shows you “hey, something is activating Java…and this is what it is doing.”
Browse around the web for a few months with it on. You’ll be quite surprised how many websites use Java that you didn’t know about, and how many are trying to exploit vulnerabilities. The largest problem behind Java isn't that it is vulnerable, it is that nobody seems to realise how broken it really is.
We all defend against Flash. It's time to do the same against Java.
Is it, really? I thought the point of browser-side Java was to provide me an applet that performed a service. Either it was a game, or it was a file browser, or some other useful widget. The browser-side java something-or-other should be obvious. Something visible that provides the user a benefit.
What it shouldn’t be is a 1px dot somewhere under a div, hidden away whose sole purpose is to plant a cookie, read files off your PC, or drop malware via an exploit.
Browser-side java can be a good thing. In the real world however the bad guys are using it a heck of a lot more than the good guys. What’s worse, when the good guys do use it, they are typically slow to update, requiring older versions of java (with known exploits!) to be used if you want to use that one critical java app on that one website.
Any browser plug-in, be it Java, Flash or Silverlight should be obvious when in use. It should ask the user “do you want to use this third-party software that may screw up your computer, kick your dog and end the world as we know it?” It should warn you each and ever time that it kicks in if your version of the plug-in is out of date.
Browsers – by and large – are secure. Yes, there are exploits discovered for each of the main browsers every year. But far more as discovered – and regularly exploited – for these “common browser extensions” than the underlying browsers themselves.
Browser extensions should never be activated without your knowledge. Especially risky ones like Java that have a great deal of access to your PC. The idea of browser-side java is to provide the end-user with a useful applet that does something the user wants it to do.
Not to operate – ever – without the user’s knowledge.
To quote wikipedia:
on 5 January 2011, Adobe Systems, Google Inc., and Mozilla Foundation finalized a new browser API (dubbed NPAPI ClearSiteData). This will allow browsers implementing the API to clear Local Shared Objects.[11] Four months later, Adobe announced that Flash Player 10.3 enables Mozilla Firefox 4 and "future releases of Apple Safari and Google Chrome" to delete Local Shared Objects
So things aren't as bad as they could be, clearing cookies in firefox at least deals with LSOs if flash is up to date. Not experimented with the others, but presumably they had time to do it.
And yeah,for me java is disabled except when needed. just good sense.
1 - It ends up installed on a lot of machines where it's never used. Or even known of.
2 - Update doesn't integrate with the OS so it doesn't get updated regularly. Or at all, see 1 above.
3 - It has (had) some rather nasty bugs.
http://krebsonsecurity.com/2011/10/critical-java-update-fixes-20-flaws/
I spent 4 hours trying to get a straight answer myself. Short version: nope, CCleaner doesn't kill them. Apparently, in addition to the methods talked about in this article - which I wrote about a month ago - a couple new HTML5 methods have come into play which CCleaner doesn't kill.
Unless browser makers seriously change their lax attitude towards the issue, HTML5 will be the death of individual privacy on the Internet.
Could be a lot of reasons for that. My account was originally created way back before I ever started writing for El Reg...could be that somewhere in the CMS it's flagged as "old-fashioned commenttard" instead of "user group that has access to El Reg icon." It could be they reserve it for some subset of writers that I don't belong to? (I am a freelancer, not a staffer.) It could just as easily be as simple as "I've never asked."
In short: I have no idea. It’s all good though; I’m a commenttard first, and a writer second. Why should I have a different icon than all my other commenttard brethren?
Regarding CCleaner: don't lose hope! The folks behind CCleaner do a great job of trying to keep up with the times. They have made significant efforts specifically relating to the evercookie before, and I suspect that they will come through for us in the future. It takes time, research and effort to keep up with the kind of scum who use evercookies. The kind of effort that sometimes seems like a legitimate parallel to malware research.
Maybe we should be asking Microsoft/AVG/Kaspersky/Symantec/etc. to step up and add it to their antimalware products.
Useful program, SandboxIE.
You can force any (well known) browser (or, if you configure it yourself, lesser known ones) to run entirely sandboxed. Any files that change from that app (inc. LSOs) can be wiped on exit , so only your existing session is affected. The only thing that will recur after that, is your IP.
Try it.
Disclaimer: Happy SandboxIE user - nothing to do with the developer :)
but I've noticed the Flash advertisments on some sites (such as Photobucket, when uploading pictures) disable the audio mute button on my laptop. I haven't been able to find any mention of this by searching the internet (because my searches return answers related to onscreen 'buttons' for Flash devs)- is this related?
I appreciate that the El Reg forums aren't at tech support forum, but it seems that if it can take control of my webcam and mic, fluffing with my physical mute button should be easy.
Re: previous post: through = thorough. Autocorrect is my nemesis.
As a follow-up, to the previous discussion it seems like this behaviour goes away if you disable Flash's ability to tinker with mic/webcam via the Flash settings page. Under some circumstances. If that setting isn't properly secured, then the physical mute button seems to be something flash can block no matter the active window context.
With the mic/webcam setting properly secured, Flash still seems able to block the physical mute button, but only when that specific window is active. Whether or not the tab in question has to be the active tab seems to depend on the individual browser’s sandboxing capabilities.
Later versions of Firefox for example can be set up to launch a new sandbox every few tabs. So the behaviour seems weird and inconsistent, but there is an underlying logic to the whole thing.
Assuming f course that there was ever any logic to the ability of Flash to ever be able to prevent you from using the physical mute (or volume up/down) buttons in the first place.
Note: tested only under Windows XP and 7. I have not tested under Windows 8, Android or Linux.
"All it takes is one bad website to get Flash or Java open, and all your carefully crafted privacy defences are wiped out."
In regards to the browser's privacy/security-zones settings, they're enforced by GPO.
Regarding Java, part of the reason it's such a pariah was illustrated nicely by Dino Dai Zovi in slide #10 of his "Attacker Math 101" presentation. It's an easy way to leapfrog the mitigations of the browser, escape the sandbox and integrity restrictions in the case of Chrome or IE, and move right on with the attack. You can get the PDF from here if interested: http://trailofbits.com/2011/08/09/attacker-math-101/ I'm glad to report my small fleet is Java-free.
Regarding NoScript, or the equivalent use of Zones in IE, the fatal flaw is that over 50% of the malicious websites in the world at any given time, are normally safe. If The Reg is on my "approved" list and they get hacked... game over.
Most users never use Java apps, there's no sense in leaving it on, better to disable it and deal with the edge cases when someone actually needs it.
My SOP is to disable Java, Flash, auto fill and PDF plugins, most of the web works just fine sans flash since iOS support became a big deal, and in the cases where only flash will do, it's built into googles chrome browser which keeps it up to date without user intervention.
On a different yet related note, a good few years ago I knocked up a script that encoded a users IP and forum ID into the reply button jpeg on a MMOG forum, this enabled us to identify who was leaking screen grabs from private areas of the forum. /misspent youth.
Get rid of javascript, Flash and Silverlight? Avoid HTML5? Might as well chuck your computer, get off the grid and smash your phone while you're at it. A better approach would be to watchdog the major sites/services that people use, e.g. Google, Facebook, Twitter. As long as the big boys are made to play nice and you use a few of the tools mentioned to mitigate most other abuses, then you can enjoy a reasonable amount of privacy without sacrificing so much functionality.
BTW, using the Canvas element to read encoded information from an image is very devious. The coverage and description of the threats was very well done. I just took exception to the overly drastic advice.
I don't have flash (never have) nor silverlight (ditto), java (same), I effectively nuke jscript with noscript, it very rarely gets enabled, I disable cookies except for a few minutes when gmailing or el-reg-ing, and block a huge list of dubious/ad sites[*]. Doesn't make me invisible (reminded to self - munge referrer string) but it makes it harder. Bonus: firefox is much faster like this.
If I need to do something jscripty like searching on script-wormy job sites, well, there's vmware. And I don't run as admin.
I'm not prepared to willing to trade security for liberty, or worse, ease of use. Try it, it's really not so bad.
[*] I do have a problem with this, the sites I value like this one need to make money somehow. It's a dilemma.
(note to Trevor - good articles, keep them up)
They should have some seperate program where I can enter/store my credentials per website, For which the browser should supply them with the appropriate entry in this collection which a specific website then can read and log me in automatically. Any other reason why websites would want to be storing any data is bull anyway.
And yes, fix http so it is session aware, or store the session in the url. But don't misuse cookies for that either.
And the funny thing is: The Register is as bad as any of them, why did I get advertisement of a certain clothing website I visited on your site? Adsense is bad, it's one of the worst offenders of cookie/browser history misuse.
I have been thinking along the same line's but the problem is that a virtual machine takes a long time to start, compared to the browser and consumes lots of resources, if loaded with a normal OS. All just to run one browser and its plug-ins. Maybe fitting the VM with a pared-down Linux with just enough stuff to run the browser would mitigate this problem? On Linux, one could perhaps use UML to implement a light-weight sandbox for the browser. Its not a real VM, but the Linux kernel run as a user-mode process. Not as watertight as a complete VM, but might be sufficient for sandboxing malware, which would have to be aware of bugs in both the browser or plug-in and UML in order to break out.
I think there already exists an experimental Linux distro where all apps run in sandboxes (not sure of details).
"...I strongly advocate either the complete removal of Java, Silverlight, Flash and the disabling of JavaScript..."
Oh for gawd's sake. One might as well have the news and entertainment delivered via Morse code...
Do what I do. Surf websites that cover topics in which I have zero interest. This confuses the advertisers to no end.
> Provides 4 links to sites
> One from 2011 basically moaning about people not updating Java
> One from 2007 that is actually about a Quicktime bug
> One by Krebsonsecurity.com, which uses Google Analytics to check the readers' goodies
> One from 2010 where Microsoft complains about Java
> Calls is "unbelievably broken"
My face when.
The best I can get out of this is a citation by Microsoft:
"[Microsoft] said that Oracle, which is now ultimately responsible for Java after its Sun acquisition, should collaborate with competitor Microsoft to automatically distribute Java patches"
Yes, good idea. Please implement.
well that's me screwed then?
Huge amounst of hardware uses java, as do our (external 3rd party) websites that we HAVE to use.
So Ill remove java and refuse to use it and tell my management that I can't do my job becuase this authour says so.
Oh hold on, this is the real world i live in.
If you need Java to do your job, then 1) make sure it's up-to-date, and 2) make sure it's only permitted to run on the sites where it's needed. If you use IE and have Admin privileges available, you can do this by arbitrarily disabling Java in the Internet Zone. Then set the Trusted Zone security to Medium-High and add the necessary sites to it. Now test your config using a Java-driven site like www.time.gov (click a time zone).
I'll also add 3) use Microsoft's EMET to add mitigations to Java.exe, as well as your web browsers, media players, PDF software, and other Internet-facing software.
Wait, you use in-browser java to play Minecraft? Why not just download it? It's safer. That way, if an update trundles along that breaks everything (because that NEVER happens in Minecraft...) you can play the old, downloaded version until Moot caves and fixes whatever new features made everything go boom.
*Block*
*BlockBlockBlockBlockBlockBlockBlockBlockBlockBlockBlockBlockBlockBlock*
*Block*
@Blacklight RE: SandboxIE: Good idea!
@Destroy All Monsters RE: Virtual machine: Good idea!
I can attest to both of those methods working, albeit some what inconvenient, but worth it, none-the-less.
Can any one tell me, are Flash LSO's the method sites like Mega Upload use to keep track of how much video I've watched, even when I change IP's, clear cookies, etc.?
So..... the conclusions of the author are disable java/silverlight/javascript/any local execution etc etc etc... yawn. This is really 'sensible advise?' then.. why not do it properly and use a secure browser... http://en.wikipedia.org/wiki/Lynx_(web_browser) - disabling cookies obviously!
Do some of these people live in the real world?
how do you do prevention?
simple -
Lock the bloody directories into which the various pieces mentioned in the article are written.
(mac, safari)
for example: the directory to which Flash writes its various files is locked. The browser CAN NOT write to it. The site works, as all the information is kept in the browser. Upon exiting the bowser - there is nothing left.
Is the link to the Flash privilege escalation bug incorrect? MS-ISAC ADVISORY NUMBER:
2011-015 is for a bug that allows remote code execution and "could also result in an attacker gaining the same privileges as the logged on user". The bug itself seems to relate to flash embedded in an Excel attachment received via e-mail which hardly fits the "browsing the web" scenario being discussed.