Archive for the Java Category

Recent explosions of Petko D. Petkov (pdp)'s pwning lust should teach us a lesson: documents should be documents, not programs!

We've seen MP3 tunes pwning Firefox (and NoScript promptly counter-pwning), Windows playlists pwning browser security, and finally PDF documents pwning Windows PCs.
This latest "disclosure" sounds like a strange case of pwnatio precox, since Petko didn't bother to reveal any detail about the flaw. All he said is

Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

I've got no problem with believing his words, since the stuff we keep calling "documents" became containers for all kinds of executable code long time ago, either intentionally (script embedding) or by accident (buffer overflows, often due to an overly complex format driven by creeping featurism).

I (like many people, I guess) do have problems with his suggested work-around:

My advise for you is not to open any PDF files (locally or remotely).

This is something no business can afford, plain and simple.
The real fix would be vendors stopping with these crazy mixes of data and code, but it's something they seem not even considering.
So, how can we mitigate risks of this kind, which surely won't go away even when Adobe will fix this specific PDF issue?

OK, I'm obviously biased here, but did you ever notice the

NoScript Options/Advanced/Plugins

NoScript content blocking options
It provides quite a flexible way to block Java, Flash, Silverlight and all the other plugins such as Acrobat Viewer, Windows Media Player and QuickTime, just to name the ones featured in pdp's researches.
If you check all the


checkboxes but the last (IFRAMES), all types of plugin-handled, potentially dangerous content will be blocked by default if coming from unknown (and therefore untrusted) sites.
You'll get a nice placeholder with the NoScript logo instead: you just click it, and you activate the content on the fly if you deem it's trustworthy.
If you're a paranoid like me, you may want to trade some usability for maximum security and check also the

Apply these restrictions to trusted sites too

option, which will mandate on-demand activation everywhere.

I heard someone saying

security × usability = K

If it's true (and I hope some day it won't necessarily be), NoScript tries hard to pump that


as much high as it can be.

Caravaggio, San GerolamoBoth the Java Evil Popups and the more recent SQL Injection Toy posts have been followed by kind requests to see the code.

Furthermore, I routinely receive inquiries about the source code of my most known Firefox extensions (NoScript and FlashGot), sometimes from people graciously accusing me of infringing the GPL which covers both.

I believe the time has come to make them all happy, but...


True hackers won't read further, because the info above is more than enough to obtain all the mentioned source code in a few seconds ;)

Imagine you're a web advertiser.
Imagine you can open a popup window from a web page defeating any popup blocker.
Imagine this popup can invade the whole desktop, full screen.
Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Imagine user can't move or minimize this popup. It will go away only when the browser is killed or your show is done...

Now imagine you're a phisher.
Imagine you can use this almighty popup to draw anything you want. A fake browser or -- why not? -- a whole fake desktop to collect user's data.

Impossible wet dreams of clueless evildoers?
No, it's just 100% Pure Java™ Reality.


Bad Behavior has blocked 968 access attempts in the last 7 days.