Java-Gaming.org    
Featured games (79)
games approved by the League of Dukes
Games in Showcase (477)
Games in Android Showcase (108)
games submitted by our members
Games in WIP (536)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1] 2
  ignore  |  Print  
  Java Virises and You!  (Read 3045 times)
0 Members and 1 Guest are viewing this topic.
Offline CyanPrime
« Posted 2012-07-18 01:38:21 »

I am dismayed, JGO. My PC was acting really strange, so I did my first virus scan of the year, and found 3 Java virsuses! I keep my Java up to date and everything! So, that really sucked. Good news is they're all gone now, but still. If people get viruses like that they'll blame Java. :<
Offline teletubo
« League of Dukes »

JGO Ninja


Medals: 48
Projects: 4
Exp: 8 years



« Reply #1 - Posted 2012-07-18 01:45:45 »

I would blame all the p0rn sites and all my uncautious downloads and installs. Nothing else.

Offline philfrei
« Reply #2 - Posted 2012-07-18 02:30:22 »

The article that the quote is from may now be dated (a year old, after all).

Quote
On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader / Acrobat, Adobe Flash and Microsoft Internet Explorer.

From the following URL;

http://net-security.org/malware_news.php?id=1863

"Greetings my friends! We are all interested in the future, for that is where you and I are going to spend the rest of our lives!" -- The Amazing Criswell
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline princec

JGO Kernel


Medals: 343
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #3 - Posted 2012-07-18 10:08:52 »

I'm still not aware of a Java vuln in the wild that can bypass a user dialog intervention.

I don't run virus scans - was without virus checking for 10 years until I caved and got MS Security Essentials (the only virus checker worth having on Windows). To date it's found bugger all. It's easy to live without one if you don't go looking for trouble. I just hang out on the same 15 websites and rarely go anywhere off the beaten path.

Cas Smiley

Offline gimbal

JGO Knight


Medals: 25



« Reply #4 - Posted 2012-07-18 10:25:48 »

was without virus checking for 10 years until I caved and got MS Security Essentials (the only virus checker worth having on Windows). To date it's found bugger all.

I've had a case or two myself; never related to the JVM of course. MSE picked it up before I even had the chance to run an executable. Perhaps it won't catch all the baddies out there (tests have proven that it does not perform so well as its competition when it comes to actually recognizing threats) but when it does work, it works really well.

I'd put money on that claim stemming from all the malware crud that triggers false positives. That happens too often in relation to java classes.
Offline Jimmt
« League of Dukes »

JGO Kernel


Medals: 128
Projects: 4
Exp: 3 years



« Reply #5 - Posted 2012-07-18 11:35:35 »

I'm still not aware of a Java vuln in the wild that can bypass a user dialog intervention.

I don't run virus scans - was without virus checking for 10 years until I caved and got MS Security Essentials (the only virus checker worth having on Windows). To date it's found bugger all. It's easy to live without one if you don't go looking for trouble. I just hang out on the same 15 websites and rarely go anywhere off the beaten path.

Cas Smiley
I've never personally seen this vulnerability, but search up the java atomicreference array flaw.
Pretty serious stuff.
Offline Mike

JGO Ninja


Medals: 71
Projects: 1
Exp: 5 years


Java guru wanabee


« Reply #6 - Posted 2012-07-18 13:14:50 »

I got a Java "virus" once from a tv show online streaming site. There were no dialog box, I just noticed the java icon pop up in the notification bar and next thing I know I had an annoying application installed on my computer. Luckily it was quite harmless and could (almost) be removed from the control panel Smiley

Mike

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline ReBirth
« Reply #7 - Posted 2012-07-18 17:25:53 »

I would blame all the p0rn sites and all my uncautious downloads and installs. Nothing else.
And your friends' dirty usb >_>

should we also be aware on showcase entries too? Tongue

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 749
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #8 - Posted 2012-07-18 17:36:17 »

I'm still not aware of a Java vuln in the wild that can bypass a user dialog intervention.

Drive-by-attacks are actually the main way to get infected these days (by java). They require no user interaction and typically don't bother you, but needless to say you instantly become part of a botnet.

As for not looking for trouble: it only requires a perfectly harmless site (like jolly good old JGO) to get infected, and you're screwed.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #9 - Posted 2012-07-18 17:42:56 »

I'm still not aware of a Java vuln in the wild that can bypass a user dialog intervention.

Drive-by-attacks are actually the main way to get infected these days (by java). They require no user interaction and typically don't bother you, but needless to say you instantly become part of a botnet.

As for not looking for trouble: it only requires a perfectly harmless site (like jolly good old JGO) to get infected, and you're screwed.

May I ask "How?", and continue chewing my gumdrops in a happy mood?

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 749
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #10 - Posted 2012-07-18 17:52:24 »

Let's say you want to infect JGO. As it's an SMF site, it's not that hard: there are lots of SQL injections possible. As SMF is a design flaw to begin with, data is htmlentities-escaped before it is inserted in the database, so... unfortunately, SMF assumes that everything in the database is safe to send to the browser, without further checking. Combine this with the ability to inject arbitrary data in the database, and you should see how it is possible to put "<applet ...></applet>" in there without too much effort. Next step is to write a mallicious applet that can escape the sandbox. There are enough examples of this on the web, so yes, that is indeed possible. Now we can write an executable to disk and call Runtime.getRuntime().exec(...) to launch it. Piece of cake, really.





Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #11 - Posted 2012-07-18 18:00:01 »

Let's say you want to infect JGO. As it's an SMF site, it's not that hard: there are lots of SQL injections possible. As SMF is a design flaw to begin with, data is htmlentities-escaped before it is inserted in the database, so... unfortunately, SMF assumes that everything in the database is safe to send to the browser, without further checking. Combine this with the ability to inject arbitrary data in the database, and you should see how it is possible to put "<applet ...></applet>" in there without too much effort. Next step is to write a mallicious applet that can escape the sandbox. There are enough examples of this on the web, so yes, that is indeed possible. Now we can write an executable to disk and call Runtime.getRuntime().exec(...) to launch it. Piece of cake, really.

How in the world does that work? I thought rule #1 in safe web-programming, is to not send the "<" char as "<", but rather &lt, which is not picked up as html? Isn't it possible to fix those before the data goes into the db?

Offline princec

JGO Kernel


Medals: 343
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #12 - Posted 2012-07-18 18:04:51 »

'o course, I don't run applets on websites anyway, I've got Chrome to stop it Smiley So I feel a bit safer.

Cas Smiley

Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #13 - Posted 2012-07-18 18:08:47 »

'o course, I don't run applets on websites anyway, I've got Chrome to stop it Smiley So I feel a bit safer.

Cas Smiley

Yeah, me too. I think most browsers do that. I'd still like to know about that flaw in SMF, as I can't imagine anyone would leave it there.

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 749
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #14 - Posted 2012-07-18 18:10:40 »

'o course, I don't run applets on websites anyway, I've got Chrome to stop it Smiley So I feel a bit safer.
Sure, this might be the reason you said that you didn't see a mallicious applet that didn't require user-interaction to launch. Obviously, the Chrome developers only added this because the Java Plugin itself failed to be secured by their user-interaction.

But I have the feeling that I'm explaining things you already know, so I'll stop right here Smiley

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 749
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #15 - Posted 2012-07-18 18:12:50 »

Yeah, me too. I think most browsers do that. I'd still like to know about that flaw in SMF, as I can't imagine anyone would leave it there.
It's not just 1 flaw. It's hundreds (if not thousands) of flaws. It's beyond repair.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 749
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #16 - Posted 2012-07-18 18:23:48 »

How in the world does that work? I thought rule #1 in safe web-programming, is to not send the "<" char as "<", but rather &lt, which is not picked up as html? Isn't it possible to fix those before the data goes into the db?
This is exactly the flawed reasoning that the SMF devs had, which made it fail, security wise. Sad

It should be escaped after it is read from the database.


Don't trust your database, treat everything inside is as 'data', not 'information'. Say you notice a flaw in your insert/update sanity checks... you fix it, but all the data inside your database is still 'infected'. It might not even be possible to run a query that corrects it, because that would mean data-loss.
Now reverse the situation: dump everything you receive in the database, as is, and escape the data after you received it from a query. When you 'fix' the flaw in your escaping now, all existing data, no matter how mallicious, will be safely escaped by the new algorithm. For added benefit: you can escape it for either HTML, javascript, Java, XML, SQL, whatever. As you haven't altered the original data, you're free to transform it any way you like.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #17 - Posted 2012-07-18 20:00:49 »

How in the world does that work? I thought rule #1 in safe web-programming, is to not send the "<" char as "<", but rather &lt, which is not picked up as html? Isn't it possible to fix those before the data goes into the db?
This is exactly the flawed reasoning that the SMF devs had, which made it fail, security wise. Sad

It should be escaped after it is read from the database.


Don't trust your database, treat everything inside is as 'data', not 'information'. Say you notice a flaw in your insert/update sanity checks... you fix it, but all the data inside your database is still 'infected'. It might not even be possible to run a query that corrects it, because that would mean data-loss.
Now reverse the situation: dump everything you receive in the database, as is, and escape the data after you received it from a query. When you 'fix' the flaw in your escaping now, all existing data, no matter how mallicious, will be safely escaped by the new algorithm. For added benefit: you can escape it for either HTML, javascript, Java, XML, SQL, whatever. As you haven't altered the original data, you're free to transform it any way you like.

There's thousands of flaws? I agree with what you said about the database, however wouldn't that be a rather large operation to perform every time someone requests data? Why is it that making the assumption that you are the only one with access to the database is not safe? Is it that easy to access and edit a database?

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 749
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #18 - Posted 2012-07-18 20:08:53 »

It's about keeping the original data. The database is typically not unsafe by definition, but the lack of prepared-statements, and thus SQL injections make it a hostile place.

If somebody want to edit data, and the data is escaped, you have to unescape it, edit it, and escape it again. Unescaping is not always possible, as the transformation is not always purely escaping: you'll often find 'sanitized', which means you lost data.

An no, escaping data every time it's retrieved from the database is not slow.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #19 - Posted 2012-07-18 21:32:23 »

It's about keeping the original data. The database is typically not unsafe by definition, but the lack of prepared-statements, and thus SQL injections make it a hostile place.

If somebody want to edit data, and the data is escaped, you have to unescape it, edit it, and escape it again. Unescaping is not always possible, as the transformation is not always purely escaping: you'll often find 'sanitized', which means you lost data.

An no, escaping data every time it's retrieved from the database is not slow.

I'm quite shocked that you were able to dictate what I load so easily. Isn't this quite the large hole in security? Since anyone can post on here, it would be easy to drive-by everyone that reads any given page.

Offline Ultroman

JGO Knight


Medals: 24
Projects: 1


Snappin' at snizzes since '83


« Reply #20 - Posted 2012-07-18 21:43:13 »

What if we have a jar-file with our game in it, which connects to a Java-server, uses a method on that Java-server to grab some DB-information, and uses it in the application. Would that be prone to attacks? Would reverse-engineering the jar leave the IP of my Java-server open for all to see? Would my database be susceptible to attacks through this way of retrieving data from my DB?

- Jonas
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 749
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #21 - Posted 2012-07-18 21:43:41 »

I'm quite shocked that you were able to dictate what I load so easily. Isn't this quite the large hole in security? Since anyone can post on here, it would be easy to drive-by everyone that reads any given page.
It's easy, but that's not enough. You have to be willing to invest the time to hack a site.

And who'd care that JGO would be hacked? Hackers typically try to hack (reasonably) high profile sites.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 749
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #22 - Posted 2012-07-18 21:47:09 »

What if we have a jar-file with our game in it, which connects to a Java-server, uses a method on that Java-server to grab some DB-information, and uses it in the application. Would that be prone to attacks? Would reverse-engineering the jar leave the IP of my Java-server open for all to see? Would my database be susceptible to attacks through this way of retrieving data from my DB?
You don't even need to reverse engineer anything. You can simply monitor the network (with Wireshark) and you'll see the IPs and packets scrolling by.

You always have to assume the client is hacked, so never let the client do anything you haven't intended: don't let the client make SQL queries, create a protocol in which the client can suggest to the server to perform some logic, which might or might not result in a database query - the client shouldn't even be aware of any database on the server. The server should always verify that the client-input is correct too.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Ultroman

JGO Knight


Medals: 24
Projects: 1


Snappin' at snizzes since '83


« Reply #23 - Posted 2012-07-18 21:55:38 »

You don't even need to reverse engineer anything. You can simply monitor the network (with Wireshark) and you'll see the IPs and packets scrolling by.

You always have to assume the client is hacked, so never let the client do anything you haven't intended: don't let the client make SQL queries, create a protocol in which the client can suggest to the server to perform some logic, which might or might not result in a database query - the client shouldn't even be aware of any database on the server. The server should always verify that the client-input is correct too.
But if my server only has methods to save/retrieve a player-object or retrieve a list of highscores and such, how would someone hack that? Is it that easy to hack an object in memory? Can they know which part of memory to change to give their player a billion gold?

- Jonas
Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #24 - Posted 2012-07-18 22:08:37 »

You don't even need to reverse engineer anything. You can simply monitor the network (with Wireshark) and you'll see the IPs and packets scrolling by.

You always have to assume the client is hacked, so never let the client do anything you haven't intended: don't let the client make SQL queries, create a protocol in which the client can suggest to the server to perform some logic, which might or might not result in a database query - the client shouldn't even be aware of any database on the server. The server should always verify that the client-input is correct too.
But if my server only has methods to save/retrieve a player-object or retrieve a list of highscores and such, how would someone hack that? Is it that easy to hack an object in memory? Can they know which part of memory to change to give their player a billion gold?

Memory is easy to modify, if you can find the right values. Some flash games have obfuscated variables because of score-hacking. You should not log into your database with writing permission from the client, ever. Instead, ask the server for the data and let it retrieve it for you.

Making a secure highscore of a game whos logic is client-sided is an impossible task, as you cant verify the game was actually played. You can obscure the way, but if somebody really wanted to they can always do everything the code you give them can.
If you ever give anyone your ip, publicly, be prepared :-) Not saying it will happen, but now it could.

Offline Ultroman

JGO Knight


Medals: 24
Projects: 1


Snappin' at snizzes since '83


« Reply #25 - Posted 2012-07-19 00:31:51 »

Memory is easy to modify, if you can find the right values. Some flash games have obfuscated variables because of score-hacking. You should not log into your database with writing permission from the client, ever. Instead, ask the server for the data and let it retrieve it for you.

Making a secure highscore of a game whos logic is client-sided is an impossible task, as you cant verify the game was actually played. You can obscure the way, but if somebody really wanted to they can always do everything the code you give them can.
If you ever give anyone your ip, publicly, be prepared :-) Not saying it will happen, but now it could.

Well, I was just thinking I'd have the game ask the server to save my Player-object, by passing the server-method a Player-object. Assuming I check the validity of the variables required for a Player-object, it shouldn't be possible to hack the saving of a player, right? I mean, can they create an instance of Player without having the blueprint for it?

As for the highscores, I see what you mean...that sucks!

- Jonas
Offline Ultroman

JGO Knight


Medals: 24
Projects: 1


Snappin' at snizzes since '83


« Reply #26 - Posted 2012-07-19 09:49:50 »

What about the server the game would be calling? Could they hack that and get the actual Java-server program too?

If not, I could make some gameID-generator on the server, which would give the current play-session an ID from some obscure algorithm, and then every time you try to save the player or a highscore, this ID would be sent as a parameter, and if it checks out, you get to save...wait...they could just call that method on the server to get a valid ID, right? Darn it! This is really demotivating Sad

One could at least make procedural checks each update on a few meaningful player-variables, such as health, points, kills and time, to see if any are changed in a manner in which they shouldn't. Also, there could be made a check to see if system-time has changed in an unexpected manner.

There are many good ideas...but I guess they can find a way through them all  Angry

- Jonas
Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #27 - Posted 2012-07-19 09:57:42 »

What about the server the game would be calling? Could they hack that and get the actual Java-server program too?

If not, I could make some gameID-generator on the server, which would give the current play-session an ID from some obscure algorithm, and then every time you try to save the player or a highscore, this ID would be sent as a parameter, and if it checks out, you get to save...wait...they could just call that method on the server to get a valid ID, right? Darn it! This is really demotivating Sad

One could at least make procedural checks each update on a few meaningful player-variables, such as health, points, kills and time, to see if any are changed in a manner in which they shouldn't. Also, there could be made a check to see if system-time has changed in an unexpected manner.

There are many good ideas...but I guess they can find a way through them all  Angry

Don't spend too much time on this issue either. Just make it difficult enough that nobody will want to go through whatever it takes.

Offline 65K
« Reply #28 - Posted 2012-07-19 10:01:34 »

If not, I could make some gameID-generator on the server, which would give the current play-session an ID from some obscure algorithm, and then every time you try to save the player or a highscore, this ID would be sent as a parameter, and if it checks out, you get to save...wait...they could just call that method on the server to get a valid ID, right? Darn it! This is really demotivating Sad
You wouldn't make the ID generator publicly available, so that at least anonymous updates are impossible.

Offline Ultroman

JGO Knight


Medals: 24
Projects: 1


Snappin' at snizzes since '83


« Reply #29 - Posted 2012-07-19 10:33:20 »

If not, I could make some gameID-generator on the server, which would give the current play-session an ID from some obscure algorithm, and then every time you try to save the player or a highscore, this ID would be sent as a parameter, and if it checks out, you get to save...wait...they could just call that method on the server to get a valid ID, right? Darn it! This is really demotivating Sad
You wouldn't make the ID generator publicly available, so that at least anonymous updates are impossible.
What do you mean by this? If my game can call a method on the server to request a valid game-ID, can't a hacker do the same thing if he has reverse-engineered my game?

- Jonas
Pages: [1] 2
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

CogWheelz (17 views)
2014-07-30 21:08:39

Riven (23 views)
2014-07-29 18:09:19

Riven (15 views)
2014-07-29 18:08:52

Dwinin (12 views)
2014-07-29 10:59:34

E.R. Fleming (33 views)
2014-07-29 03:07:13

E.R. Fleming (12 views)
2014-07-29 03:06:25

pw (43 views)
2014-07-24 01:59:36

Riven (43 views)
2014-07-23 21:16:32

Riven (30 views)
2014-07-23 21:07:15

Riven (31 views)
2014-07-23 20:56:16
List of Learning Resources
by SilverTiger
2014-07-31 13:54:12

HotSpot Options
by dleskov
2014-07-08 03:59:08

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:58:24

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:47:22

How do I start Java Game Development?
by ra4king
2014-05-17 11:13:37

HotSpot Options
by Roquen
2014-05-15 09:59:54

HotSpot Options
by Roquen
2014-05-06 15:03:10

Escape Analysis
by Roquen
2014-04-29 22:16:43
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!