Closed Bug 184800 Opened 17 years ago Closed 7 years ago

Misleading Java security-grant dialog

Categories

(Plugins Graveyard :: Java (Oracle), defect, major)

x86
All
defect
Not set
major

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: spamdrain, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20020929
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20020929

Browser ignores user's directive to deny a signed applet permission to run. This
can be seen with a PDA demo on news.com that is implemented as a signed Java applet.





Reproducible: Always

Steps to Reproduce:
How to reproduce:
1. On my platform (platform details above); dunno about other platforms; go to
http://www.news.com/ Scroll down to almost the bottom of the page, and look at
the _right_ side navigation menu for the section "News Tools".

2. In that section, select the "News by Mobile" link (I'm not giving full URLs
because I think their URLs include a unique session ID).

3. In the page that loads ("Tech News To Go") click on "News.com Mobile Demo". A
security dialog comes up asking whether or not you want to run the applet signed
by RoundPoint.

4. In this dialog, there is a "Deny" choice. Click it.

The applet runs and is perfectly functional.

Note that for subsequent visits to the page, the security dialog no longer comes
up. I am certain I clicked "Deny" and _only_ "Deny" on the dialog.


Actual Results:  
The applet ran with apparent full functionality.


Expected Results:  
The applet should not have run at all. Should have just shown a grayed out panel
identifying the screen space allocated for the applet, or even just a generic
small "applet here" icon, potentially at the cost of pretty layout, but with the
benefit of following the directives of the user.


This bug is evil.
addendum: "with apparent full functionality" means it appeared to work fine. It
was interactive; buttons worked, could navigate menus up and down, switch pages
in the demo screens shown on the PDA portrayed in the applet, could see
scrolling news tickers. In other words it was a live Java applet, not just an
animated gif stand-in. And it was not flash; I do not have a working flash
plugin set up for my browser.
I can confirm that on windows using Mozilla 1.0.2 -- will try trunk next.

The permissions dialog shown appears to be generated by Java, not the browser.
What version of the JRE are you using? (I've got 1.4.0_01)
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
This is probably a Sun JRE bug; CCing Joe Chou at Sun.
I think the most likely scenario is that the applet requested some privileged
action but appears to run normally even if that privileged action is denied. In
this case, the wording of the privilege-grant dialog is misleading, since it
says "Do you wish to allow this applet to run?" or somesuch. The other
possibility, which is less likely but must be ruled out, is that the Deny button
is ignored and the privilege is granted anyway. That would obviously be very
bad. I have asked the Sun folks to look into this.
Assignee: mstoltz → joe.chou
I think this applet never attempts to perform any privilieged action. So when 
you click "Deny" button, the applet will not get any privileged permission, but 
the applet doesn't need it at all, that is why the applet is still running OK.

I don't know why you signed this applet, if the applet don't need any permission 
to run, there is no difference between the applet run trusted or untrusted.

Yes, you will only see the security dialog box once in a session. If you want to 
see it again, you have to start a new browser session.
Dennis, the wording of the dialog box is misleading. It says "Do you want to
install and run signed applet distributed by..." and yet it runs even if the
user clicks Deny. I think we need to do one of two things:

A) don't run the applet if the user clicks Deny
B) Change the dialog to something like "This signed applet has requested
enhanced privileges. Do you wish to grant these privileges?"
Reassigning to Dennis. Dennis, please let me know what you think we should do
about this bug, or reassign it to the right person if you're not it.
Assignee: joe.chou → dennis.gu
We will change the text in the Security dialog box in order to reflect 
the accurate meaning of the user action. This will be addressed in JRE 1.5
Great! Thanks, Dennis.
Changing summary and making public; there's no security risk here, although we
still want to see the dialog wording changed ASAP.
Group: security
Summary: Signed Java applet still runs even after user says "Deny" to run request → Misleading Java security-grant dialog
QA Contact: bsharma → toolkit
This bug is still present in Firefox 3.6.12. I totally agree with the misleading wording. Java applets are run, no matter what you click in the dialog. The old Netscape dialog in 1997 used to say "JavaScript or Java applet from X is requesting additional privileges" then below the privileges were explained: "Granting the following is high risk: Reading, modification, or deletion of any of your files".

I realize the java security model has changed since then, but the risks are still there. The user should be made aware of this IMHO. Asking the user to only click "Run" if they trust the origin of the application (=current wording) does not inform them of the risks they are taking. If anyone has any doubt about the risks of running a signed Java applet, see http://www.offensive-security.com/metasploit-unleashed/SET_Java_Applet_Attack
Assignee: dennis.gu → nobody
Component: Security → Java (Oracle)
Product: Core → Plugins
QA Contact: toolkit → oracle-java
Version: Trunk → unspecified
OS: FreeBSD → All
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Why is this bug marked as Resolved Incomplete? Do you need more info/input?
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.