Closed
Bug 184800
Opened 22 years ago
Closed 11 years ago
Misleading Java security-grant dialog
Categories
(Plugins Graveyard :: Java (Oracle), defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: spamdrain, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20020929 Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20020929 Browser ignores user's directive to deny a signed applet permission to run. This can be seen with a PDA demo on news.com that is implemented as a signed Java applet. Reproducible: Always Steps to Reproduce: How to reproduce: 1. On my platform (platform details above); dunno about other platforms; go to http://www.news.com/ Scroll down to almost the bottom of the page, and look at the _right_ side navigation menu for the section "News Tools". 2. In that section, select the "News by Mobile" link (I'm not giving full URLs because I think their URLs include a unique session ID). 3. In the page that loads ("Tech News To Go") click on "News.com Mobile Demo". A security dialog comes up asking whether or not you want to run the applet signed by RoundPoint. 4. In this dialog, there is a "Deny" choice. Click it. The applet runs and is perfectly functional. Note that for subsequent visits to the page, the security dialog no longer comes up. I am certain I clicked "Deny" and _only_ "Deny" on the dialog. Actual Results: The applet ran with apparent full functionality. Expected Results: The applet should not have run at all. Should have just shown a grayed out panel identifying the screen space allocated for the applet, or even just a generic small "applet here" icon, potentially at the cost of pretty layout, but with the benefit of following the directives of the user. This bug is evil.
addendum: "with apparent full functionality" means it appeared to work fine. It was interactive; buttons worked, could navigate menus up and down, switch pages in the demo screens shown on the PDA portrayed in the applet, could see scrolling news tickers. In other words it was a live Java applet, not just an animated gif stand-in. And it was not flash; I do not have a working flash plugin set up for my browser.
Comment 2•22 years ago
|
||
I can confirm that on windows using Mozilla 1.0.2 -- will try trunk next. The permissions dialog shown appears to be generated by Java, not the browser. What version of the JRE are you using? (I've got 1.4.0_01)
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 3•22 years ago
|
||
This is probably a Sun JRE bug; CCing Joe Chou at Sun.
Comment 4•22 years ago
|
||
I think the most likely scenario is that the applet requested some privileged action but appears to run normally even if that privileged action is denied. In this case, the wording of the privilege-grant dialog is misleading, since it says "Do you wish to allow this applet to run?" or somesuch. The other possibility, which is less likely but must be ruled out, is that the Deny button is ignored and the privilege is granted anyway. That would obviously be very bad. I have asked the Sun folks to look into this.
Assignee: mstoltz → joe.chou
I think this applet never attempts to perform any privilieged action. So when you click "Deny" button, the applet will not get any privileged permission, but the applet doesn't need it at all, that is why the applet is still running OK. I don't know why you signed this applet, if the applet don't need any permission to run, there is no difference between the applet run trusted or untrusted. Yes, you will only see the security dialog box once in a session. If you want to see it again, you have to start a new browser session.
Comment 6•22 years ago
|
||
Dennis, the wording of the dialog box is misleading. It says "Do you want to install and run signed applet distributed by..." and yet it runs even if the user clicks Deny. I think we need to do one of two things: A) don't run the applet if the user clicks Deny B) Change the dialog to something like "This signed applet has requested enhanced privileges. Do you wish to grant these privileges?"
Comment 7•22 years ago
|
||
Reassigning to Dennis. Dennis, please let me know what you think we should do about this bug, or reassign it to the right person if you're not it.
Assignee: joe.chou → dennis.gu
We will change the text in the Security dialog box in order to reflect the accurate meaning of the user action. This will be addressed in JRE 1.5
Comment 9•22 years ago
|
||
Great! Thanks, Dennis.
Comment 10•21 years ago
|
||
Changing summary and making public; there's no security risk here, although we still want to see the dialog wording changed ASAP.
Group: security
Summary: Signed Java applet still runs even after user says "Deny" to run request → Misleading Java security-grant dialog
Updated•15 years ago
|
QA Contact: bsharma → toolkit
Comment 11•14 years ago
|
||
This bug is still present in Firefox 3.6.12. I totally agree with the misleading wording. Java applets are run, no matter what you click in the dialog. The old Netscape dialog in 1997 used to say "JavaScript or Java applet from X is requesting additional privileges" then below the privileges were explained: "Granting the following is high risk: Reading, modification, or deletion of any of your files". I realize the java security model has changed since then, but the risks are still there. The user should be made aware of this IMHO. Asking the user to only click "Run" if they trust the origin of the application (=current wording) does not inform them of the risks they are taking. If anyone has any doubt about the risks of running a signed Java applet, see http://www.offensive-security.com/metasploit-unleashed/SET_Java_Applet_Attack
Updated•14 years ago
|
Assignee: dennis.gu → nobody
Component: Security → Java (Oracle)
Product: Core → Plugins
QA Contact: toolkit → oracle-java
Version: Trunk → unspecified
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Comment 12•11 years ago
|
||
Why is this bug marked as Resolved Incomplete? Do you need more info/input?
Assignee | ||
Updated•8 years ago
|
Product: Plugins → Plugins Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•