161

This is the second time I've had a drive-by executable installed on my machine using the following:

  • Google Chrome 6 (latest)
  • Windows 7, UAC on

This happened while I was browsing for images to add to a gaming.se post; one of the sites I visited (to get an image of a transfer cable) must have had drive-by browser exploit code running.

UAC alerted me that a weird temporary executable wanted to run, and I declined, but I still got the fake antivirus executable running on my machine. Sigh..

I do have Java installed because I upload stuff monthly to clearbits.net and their uploader is a Java plugin. So my best guess is, websites are doing drive-by installs using the massive numbers of zero-day vulnerabilities in the Java browser plugins.

For now, I have uninstalled Java, which works. But I wondered if I could disable the Java plugin in Google Chrome instead.

So, how do you disable these vulnerable plugins in Google Chrome? I can't find the UI.

Jeff Atwood
  • 24,142
  • 9
    How did you detect this drive-by executable ? – Leonel Oct 20 '10 at 19:00
  • @leonel first, UAC triggered (I declined). Then it somehow ran anyway and started begging me to install some kind of fake antivirus in the system tray.. – Jeff Atwood Oct 20 '10 at 19:11
  • 6
    You can always see if your plug-ins need to be updated here: http://www.mozilla.com/en-US/plugincheck/ – travis Oct 20 '10 at 19:16
  • I have a Windows XP Virtual Machine set up with Java just for that reason. @Jeff Curiously, how did you go about getting rid of it? – Chad Levy Oct 20 '10 at 22:58
  • 4
    @paper I used http://www.microsoft.com/security_essentials/ – Jeff Atwood Nov 09 '10 at 00:03
  • 2
    I got a similar thing from a PDF the other day... and to top things off, if I had only remembered that I hadn't meant to open one, I could have avoided it! – SamB Dec 10 '10 at 22:07
  • 1
    How do you know it was a vulnerability in Java and not a vulnerability in webkit? – BlueRaja - Danny Pflughoeft Jun 28 '11 at 04:57
  • @blue my Chrome is constantly updated (by Chrome itself..), but Java was massively out of date. Do the math.. – Jeff Atwood Jun 28 '11 at 05:00
  • Sorry, didn't know; but, doesn't Java come with an auto-updater? – BlueRaja - Danny Pflughoeft Jun 28 '11 at 16:38
  • I can't find it, but I know one was using a glitch in the print spooler to get around UAC, then TDSSv4/aluron started using it to inject it's rootkit. If you got the fake AV, its probably a variant of the TDSS virus that downloaded it in the background. YOU SHOULD DO A ROOTKIT SCAN RIGHT NOW! https://www.securelist.com/en/blog/337/TDL4_Starts_Using_0_Day_Vulnerability

    The TDSS viruses are insanely complex, they actually have code in them that innoculates the pc to other viruses and rootkits, and run completey encrypted in hidden sections on the hardrive.

    You really should do a post on it.

     – Ape-inago Jan 29 '13 at 11:36
  • Thanks for the wonderful article https://stackoverflow.blog/2011/07/01/its-ok-to-ask-and-answer-your-own-questions/ . – neverMind9 Mar 14 '19 at 09:43

6 Answers6

135

For Java specifically, Chrome now disables Java by default on all pages and prompts you to allow it to run each time a site needs it.

For more general plugin worries, Chrome allows you to block all plugins on all sites completely, and then allows you to selectively enable them on a page without reloading it. You can also configure exceptions for particular URLs.

To enable this, under the Plug-ins section of the settings url: chrome://settings/content select "Block All".

With this option enabled, when you want to run plugins on a page you have 3 options:

  • Right click on the plugin and choose "Run this plug-in" from the context menu
  • Click the plugin icon in the URL bar and choose "Run all plug-ins this time
  • Add an exception for sites you trust so that they can run plugins without your explicit permission each time

Chrome also has a "Click to play" setting which is hidden behind a flag in some versions of Chrome. As a commenter mentioned, this option is vulnerable to clickjacking attacks so I would advise against using it. You're better off with the "Block all" feature.

Jason
  • 129
Dan Herbert
  • 1,791
74

I found a really old bug / feature request on Google Chrome here.
It appears in Chrome 6.0 or later. Visit chrome://plugins/ or about:plugins and disable Java there.

alt text

Once I did this, to make sure Java was disabled, I visited a Java plugin demo page. And indeed it was disabled:

alt text

But my general recommendation is to uninstall Java -- you really don't want Java on your system unless you absolutely, positively have to have it .. because there are so many new exploits for it.

I would also recommend disabling any plugins you don't absolutely need. Every enabled plugin is an attack surface, and yet another thing that needs to be kept up to date..

Ashildr
  • 2,730
Jeff Atwood
  • 24,142
  • 20
    I ended up disabling like 15 plugins I didn't know I had... – juan Oct 20 '10 at 19:02
  • Couldn't you just go in and delete the "netscape" (and IE, I suppose) plugin DLLs, rather than uninstalling everything? – SamB Dec 10 '10 at 22:04
  • 1
    Oracle, in their wisdom, have broken those sun.com links. I googled "java applet demo" and tried the first non-sun link. Yes, it looks like modern Chrome disables Java by default. – Jason Sep 15 '12 at 11:25
  • Starting from Chrome 57 plugins page is no more accessible. – anton_rh May 31 '17 at 15:27
32

One small trick I use with Java is to hunt around and install the x64 version only, which I only use when I fire up IE x64 to use the one-off Java only apps like the one you reference.

CoreyH
  • 943
  • 8
    oh man that's an awesome tip; I use IE 64 bit in a similar way when I want to test in "browser I never use but still works" – Jeff Atwood Oct 20 '10 at 19:08
10

Although it may be an easy fix, just sufficiently blocking Java, if you are in favour of a more holistic approach you may prefer to use a combination of:

  • Secunia PSI/VIM for notification of updates, vulnerabilities and automatic updates
  • Microsoft EMET for preventing stack overflows and similar
  • BufferZone for protection from drive by installers
  • iCore Virtual Accounts for times when you need to walk the dark side of the net on a production machine (it's a bit inconvenient to login/logout and uses semi-virtualisation so there is some overhead - but when you only have one machine at your disposal...)

This should protect you from more than just Java vulnerabilities.

To measure the effectiveness of these approaches (EMET alone seems to stop 90% of them) you may want to use the Social Engineering Toolkit.

wheredidthatnamecomefrom
  • 258
Metalshark
  • 286
10

To only disable Java plugins one can use the -disable-java startup switch. Example:

"C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" -disable-java

Navigating to http://java.com/en/download/help/testvm.xml after a restart of the browser gives the nice message

No working Java was detected on your system. Install Java by clicking the button below.

One can read about other switches in The Power User’s Guide to Google Chrome. There is other useful information, too.

oɔɯǝɹ
  • 165
Bobrovsky
  • 427
1

Instead of disabling the plugin in Chrome, another possibility is configuring Java in order to disable it for all browsers.

To do that:

  1. Open Java Control Panel (C:\Program Files\Java\jre7\bin\javacpl.exe)
  2. Go to Security tab
  3. Uncheck "Enable Java content in the browser"
  4. Java tells you it will take effect after restarting browser(s)
Oriol
  • 1,449
  • 9
  • 25
  • 44