New universal java exploit
August 8th, 2007 | by useful | in General |It is now possible to take over a users entire screen with an unclosable window. Time to turn off java or more drastically javascript all together. I use noscript but I’ve enabled it to allow the site only the domain I’m visiting. This exploit (5 clicks to close) works in every browser I’ve tried. NoScript fixes the problem if you turn off disable the offending site. Internet explorer users will probably have a harder time with this due to market share compared to firefox.
There is also a javascript popup exploit in the wild that is modal and prevents you from closing the browser without ctrl-alt-del. Unfortantely I didn’t save an example. This combined with all the new exploits like computer finger printing with res timing as well as credential theft with XMLHTTPRequest.
Remember all the sites you could send people in 2000 to that totally fucked over their computers? They’re possibly making a come back. Firefox should hopefully be safer in a month but I wouldn’t have hopes for IE6 or IE7. It will be the bane of the internet in a few weeks when it makes its way into the wild.
Tags: exploit | Firefox | internet explorer | java
August 8th, 2007 at 4:57 pm
I thought this was a Java exploit and not a JavaScript exploit. If you turn off Java rather than JavaScript, does that also solve the problem? If so, I’d recommend that rather than JS since JS is ubiquitous and Java is rare.
- A
August 8th, 2007 at 5:14 pm
You’re right, turning off Java fixes the problem. I assumed JavaScript due to to its notoriety. I’ll edit the post.
Turning off Java still shouldn’t fix the problem because I believe you can use document.applet[].method() to execute Java from JavaScript. I’m not sure though, its something to try.