digg

Facebook Connect Join Digg About

Signed Java Applets broken on Vista

blogs.dekoh.com Windows Vista's new security model for it's Internet Explorer browser breaks existing signed Java applets. This arises out of newer security restrictions on add-ons in IE. The Dekoh Desktop installer gets around this by using an exe installer.

Who dugg this? Made popular Nov 2, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

90 Comments

show profanity settings
expand all
  • Azimuth1, on 11/08/2007, -2/+39Shouldn't the title of this be "Signed Java Applets broken in Internet Explorer 7"?
  • DiggLive, on 11/03/2007, -7/+42http://digg.com/apple/Apple_s_Leopard_rejects_late ...
  • lordtyros, on 11/08/2007, -3/+33IE7 on XP doesn't feature a protected mode. Overall, though, this seems like a case of MS getting blamed for third party idiocy. If Adobe Flash can comply with the new protocols, Sun should be able to as well. I'm all for web browsers running in a protected mode.
  • Wang, on 11/04/2007, -4/+34Inaccurate - broken on IE7, not Vista (if you use Firefox, you are fine). I don't digg folks who try to sensationalize their titles with inaccuracies.
  • Error601, on 11/04/2007, -3/+23The protected mode for the browsers sounds like a good idea. That's getting closer to adding Unix like protection for the OS. What happens when your run your java using webstart?
  • mech9t8, on 11/02/2007, -3/+17This is broken because IE7 on Vista runs in Protected Mode (reduced privileges). Sun had plenty of warning and plenty of time to get it working properly, like Adobe did for Flash. Mozilla is also considering implementing Protected Mode for Firefox, so Sun should get its act together before their stuff doesn't work on any browser on Vista.
  • pantsbandit, on 11/02/2007, -5/+16Almost 2008 and FF doesn't have protected mode in Vista, no thanks.
  • trogdoor, on 11/02/2007, -0/+11I have been running my browser as an underprivileged user in Linux for a long time, I think it is the only sound security practice when all of your important data is owned by your user that a vulnerability in your browser not be able to touch it, it's a very Unix thing to do.

    None of my computers even run Windows yet I seem to be one of the only people to comment in this thread that actually understands what protected mode is, and why it makes sense that there be no way possible to break out of it. It should be dealt with better than it is but I hate to say that IE 7 on Vista may be more secure than Firefox on Vista, and that's saying a lot. Would you be willing to test if setting the site as trusted allows the applet to run outside protected mode? Want to explain why you think the browser should be able to modify system files and install applications? Or how you would implement it better? ( I have already stated one way that I would so it's obviously not perfect )

    FUD really annoys me, no matter where it's coming from.
  • Kazbaeden, on 11/08/2007, -5/+16That has to be the most concise and simple form of fanboy ownage I've read in a long time.

    It brings a tear to my eye.

    Props to you sir!
  • Ryosen, on 11/02/2007, -0/+8Thank you for joining Digg today. Spamming the forums with your ***** little website will not be welcomed. Buried, Banned, Buh-bye.
  • DigitAl56K, on 11/02/2007, -0/+8You forgot to attach the GIF image advertising Viagra to your comment.
  • trogdoor, on 11/02/2007, -3/+9I applaud Microsoft for being consistent with security, though lying to the applet is the wrong way to do it. An Exception should be thrown so that the developers and users know that something didn't work ( if you are using a signed applet you have at least one file that MUST be written to a non temporary folder, so this isn't legacy support for naughty applets, if the applet needs to be signed to work, it won't work in protected mode ).

    I wonder if it works if the user sets the site as trusted, any Vista users willing to test?
  • 7of7, on 11/03/2007, -20/+25Looks like Sun yet again fails at life. What don't they screw up?
  • natenovs, on 11/02/2007, -0/+4actually, incorrect. the Mozilla team is working with Microsoft to get protected mode into the next version of firefox.
  • pantsbandit, on 11/02/2007, -4/+8You must not digg much.
  • MioTheGreat, on 11/04/2007, -0/+4To be fair, this is a little more than you get with your out of thebox *nix setup.

    Vista automatically knocks down the integrity level of IE _below_ "Normal User". Basically, IE can't even write to your desktop, startup folder, documents, etc. It has to use a seperate process that runs along side it, protected from it because it can only communicate through a very small number of private APIs, to save documents.
  • Stalks, on 11/02/2007, -1/+5cite?
  • Error601, on 11/02/2007, -0/+3No, you're the one that's way behind. People are deploying entire application systems using applets as it eliminates the need to maintain the application across tons of PCs. The computing world isn't just a bunch of people sitting at home surfing porn.
  • Error601, on 11/02/2007, -0/+3This stuff is used for more than just people sitting at home browsing. Signed applets are used in Enterprise systems to deploy their applications to their employees. The widely used Oracle Applications does this among others.
  • Blitzenn, on 11/02/2007, -0/+3Can't ever please the whiners. You would think they would applaud the move, yet here we are. Just proves that the people squirting out this nonsense are only furverent MS haters and not much else.
  • DiggerT, on 11/04/2007, -0/+3java webstart should be fine, since it doesn't use the browser
  • MioTheGreat, on 11/02/2007, -0/+3Only to areas that it has permission to. I believe that's limitted to the LocalLow folder.
  • trogdoor, on 11/02/2007, -0/+3"but the applet in question is a signed applet signed by a trusted certificate authority. This fact, as well as the certificate, is clearly displayed to the user so that s/he can make a decision whether to allow the applet to access the filesystem/registry or not."

    I understand that but as I understand it protected mode is like a BSD jail in that it is not possible to be escalated out of, you can't just su back to a privileged user, so there is no way that an IE 7 window running in trusted mode could spawn a java applet which was not also permanently stuck in trusted mode. How would you suggest they not "break" signed applets from untrusted sites ( yes I understand that just because the site is untrusted does not mean that the applet is ) while staying consistent with their security model?
  • Error601, on 11/04/2007, -0/+3But it is commonly initiated from the browser so it depends on how it handles that situation. I don't have any Vista boxes available yet to test it.
  • stutimandal, on 11/02/2007, -5/+8Holy cow, people still use Java Applets in websites? This is 21st century and later part of the first decade.
  • Fergy, on 11/02/2007, -5/+8Mozilla has looked at the protected mode for Firefox and it was so easily circumvented that they won't even bother adding it to Firefox for Vista. IE7 in protected mode is not safer than IE7 on winxp.
  • Blitzenn, on 11/02/2007, -1/+4It's actually a good thing as Java is now inherently insecure, (provides access to the system it's running on while bypassing security). Don't try to install the Java console on your Vista machine as you may very well find yourself having to completely rebuild it from scratch. It's not an MS issue in my eyes as it is the JAVA console installation that is attempting to subvert controls put in place by MS to keep things secure. Sun attempts to replace those executables with their own and effectively breaks the machine to the point it will not longer boot properly (if at all).
  • natenovs, on 11/02/2007, -0/+3http://digg.com/apple/Apple_s_Leopard_rejects_late ... not anymore :)
  • trogdoor, on 11/02/2007, -0/+3Thanks for the info, that actually seems a little disappointing to me but I'll hold judgment until I understand better how IE7 and protected mode work.
  • talonx, on 11/02/2007, -0/+3Hello,
    >>so there is no way that an IE 7 window running in trusted mode could spawn a java applet which was not also permanently stuck in trusted mode
    On the contrary, the IE broker process mechanism allows an add-on to run in a normal integrity level, which is enough for performing normal file system tasks. However, as a Sun engineer has mentioned in the evaluation section of the bug on http://bugs.sun.com/bugdatabase/view_bug.do?bug_id ... the broker process solution would not work. What would probably work (from the same link) is an out-of-process model for the plugin. But it seems this would take some time to be publicly available - http://www.javalobby.org/java/forums/t102770.html
    Regards
    Hrish
  • chazuk, on 11/02/2007, -2/+5Did you even read what others are saying about this?
  • unknownsoldierX, on 11/02/2007, -0/+2If everyone were that way, there wouldn't be many stories on the front page.
  • Error601, on 11/02/2007, -0/+2Despite what Bill Gates thinks, the world does not revolve around Windows. The signing thing was not developed by Sun for Java and is used in tons of stuff including making sure you're sending your credit card to amazon.com and not some fake site made to look like it.
  • roberto_deneero, on 11/02/2007, -0/+2Yes, because most people are lazy dolts.
  • inactive, on 11/03/2007, -2/+4Can you run Java on OSX?
  • trogdoor, on 11/02/2007, -0/+2Unfortunately in IT, as in many areas, people seem to be more bothered the thought of education than restriction.
  • talonx, on 11/02/2007, -1/+3In a way which is the easiest for all kinds of users, does not take much technical expertise, runs on all platforms and browsers, autodownloads and autoinstalls everything required - can you name a few?
    - Hrish
  • Chicken001, on 11/02/2007, -3/+5You must not know anything about Java. Sun contributed a lot to the open-source community. C# was created in response to Java, by Microsoft. If you've gotten into the deeper-depths of Java you'd realize that your statement is foolish. Also, this is an IE7 problem, Firefox has no problem.
  • roberto_deneero, on 11/02/2007, -1/+3Perhaps M$ and Apple don't want Java to survive so they both blocked it from working. Java is a pig.
  • Error601, on 11/02/2007, -0/+2Applets are completely restricted unless it provides a key that can be verified with a signing authority public key. The same way secure web connections verify the identity of the remote server. You then have to agree to let the signed applet run when it presents you with the signer's authenticated identity. This is really no different than downloading an application from a company you know and then running it.
  • Error601, on 11/02/2007, -0/+2So, no one has tried webstart yet? I'd be interested to see how Oracle's jinitator works too. If that's broken, MS is going to take a big hit on upgrades because tons of businesses won't be able to use it. It seems most of the newer applications are using webstart.
  • canthraxp, on 11/02/2007, -0/+2"Note that protected mode is only available on Windows Vista as it is based on Vista specific security features."

    From the article.
  • natenovs, on 11/02/2007, -0/+2http://www.techweb.com/wire/security/193105163
  • FTLJohnson, on 11/05/2007, -0/+2Still gotta have Windows on your mac if you want to play... well.. pretty much any decent game...
    Unless you REALLY are into super breakout... I'll be over on my pig enjoyng HalfLife2, Assassin's Creed, BioShock, Crysis... etc
  • talonx, on 11/02/2007, -0/+2The applet in this case is an installer for a software - the applet was chosen because it happens to be the easiest method for non-technical users to install. Installation requires writing to the disk and registry, which I'm sure you agree is not possible in HTML :).

    - Hrish
  • hackerssidekick, on 11/02/2007, -1/+3I'm not sure I follow ... can Flash "applets" write to the file system when run inside IE7 in protected mode?
  • Topher06, on 11/02/2007, -0/+2Wow, I mean wow! People were always complaining about how unsecure pre Vista windows versions are, then Microsoft tightened up their OS and Vista is now their most secure platform, and then people complaing because some pre-Vista software won't run properly. The issue here is that the company that invented signed Java apps needs to get off their asses and develop an update for Vista. What do you want, Microsoft continuing to have huge security holes to work with old software and legacy hardware, or Microsoft to develop something secure which might need some people to do some actual work and write updates for their old software?
  • Wang, on 11/03/2007, -0/+2As long as the title is accurate, I don't have a problem with it ;) this article however, blows...
  • inactive, on 11/02/2007, -0/+2that's funny, because i happen to like java and firefox... i guess that would make you my antithesis... until we meet again!
  • roberto_deneero, on 11/02/2007, -1/+2Riiiiiiiiiiiiiiiiiiiiiiiiight.
  • Fetching more discussions...
    Show 51 - 91 of 91 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.