Java Plugin a huge security risk? How to preseve Java plugin from privilege escalation?

4

3

Installing a regular Java plugin is IMHO a real security risk for non-IT people. Normally Java applets run in a sandbox and the applet cannot do anything harmful to your computer.

If an applet, however, needs to do something like read-only accessing your filesystem e.g. uploading an image, you have to give it more privileges. Usually that's ok but I think not everyone knows that you give the applet the same privileges to your computer as your user has! And that's everything Java asks you:

Java security question

That looks as 'harmful' as a self-signed SSL certificate on a random page where no sensitive data is exchanged. The user will click on Run!

You can try that at home using JyConsole, that's Jython (Python on Java)!

Simply type in python code, e.g.

import os
os.system('cat /etc/passwd')

or worse DON'T TYPE IN THAT CODE ON YOUR COMPUTER!!!

import os
os.system('rm -rf ~')

...

Does anyone know how you can disable the possibily of privilege escalation? And by the way, does anyone know why SUN displays only a dialog as harmless as the one shown above (the self-signed-SSL-certificate-dialog from Firefox 3 and above is much clearer here!)?

Live sample from my computer:

jyconsole sample

Johannes Weiss

Posted 2009-09-17T21:56:47.803

Reputation: 1 362

Answers

3

Absolutely not an official answer:

From 6u10, files can be read by applets using the java.jnlp API. The user first gets a warning dialogue (which I wish would be removed) and then a file open browser. The applet can only read the file that the user selects for it through the file chooser.

Currently you can prevent users from trusting 'content' by going to the Java Control Panel, selecting the Advanced tab. First tick box under security is currently "allow user to grant permissions to signed content@. Second tick box is "Allow user to grant permission to content from an untrusted authority".

The scariness of the security dialog should roughly match that of comparable industry players, such as Microsoft's ActiveX and Adobe's AIR.

(Disclosure: I work in Java SE Security.)

Tom Hawtin - tackline

Posted 2009-09-17T21:56:47.803

Reputation: 653

1Thanks for your answer Tom, I tried that ControlPanel setting and it works fine! Don't you think "Allow user to grant permission to content from an untrusted authority" should be false by default? Do you consider the actual default as a huge security problem, too (as I do)? – Johannes Weiss – 2009-10-05T15:05:40.957

I would love it to be the default. I think we're almost at the point where non-EV certs could be automatically rejected by default. However, from a practical standpoint that just ain't gonna happen. Browsers first, and we'll probably follow the crowd (no promises). – Tom Hawtin - tackline – 2009-10-06T04:10:09.840

Ok, but with JAAS is should be possible to give the applet "some" permissions, such as "read files from my desktop". Or "read only access" to my computer, no? The actual situation is: permit everything or nothing at all. – Johannes Weiss – 2009-10-24T18:20:04.800

1Perhaps such a feature could be added to PlugIn/WebStart/JNLP. It doesn't exist at the moment. If such a feature were to be added, the level of Java security permissions is a bit low. It's easy for an apparently innocuous permission to be leveraged with random bits of functionality to form a full attack. Really you would want a designed for purpose API in the model javax.jnlp. – Tom Hawtin - tackline – 2009-10-26T01:57:45.673

Asked: 2009-09-17T21:56:47.803

Viewed: 1 933 times

Active: 2011-08-20T06:59:41.483