Chrome Playing Hard to Get with Blackhole Exploit Kit

Wow. Thanks for the explanation.

For me, a good reason to avoid installing applications written in Java!

Can you list such an application that requires unlimited access to the internet? I would like to look at it!

thanks,

-rich

 

The above is correct for interpreted and byte-compiled languages, in my experience. Which strikes me as awfully weird, because MAC systems like AppArmor can apply rules to an interpreter based on the path to the script it's running. If Windows FW/HIPS software can't do the same, I would guess that it might be a limitation of the software in question, rather than a general rule.

I might not know what I'm talking about though.

 

A browser requires unlimited access to the internet, as does Flash. You can't predict every IP that hosts Flash/content that your browser/ Flash will connect to, therefor whitelisting by IP is not reliable, especially since websites change IPs.

@GJ,

Not sure what you mean.

 

I mean that, as far as I can tell, AppArmor lets you place restrictions on scripts as well as binaries. (Presumably by restricting the interpreter when it runs a script with a given path.) Whereas at least some Windows HIPS/FW software does not let you restrict scripts individually - you can have one set of rules for the interpreter, and that's it.

I could be reading the stuff about AppArmor wrong though...

 

I don't think Apparmor can restrict scripts, you get one profile for the interpreter. That's how it is with Java.

What you can do is create child profiles though. When my web browser launches Java it'll do it in a profile but when I run a java file from my downloads folder (assuming my browser doesn't launch it) it can run in a Java profile.

But that's not based on the path, just on the parent process.

I don't think it would be possible to restrict the script, the script alone is somewhat benign, all actions are taken by the JRE itself.

 

I see... Thanks.

Would it be safe to say that scripting languages can present a non-trivial security issue?

 

If you secure your interpreters with SELinux/Apparmor it then becomes an issue of providing a secure kernel to provide sandbox escaping. For something like Java this may not be so difficult - I've created a Java profile that has worked fine for me.

For creating one for Python it may be more difficult. Different use scripts will cause them to act in different and unpredictable ways, making strict policy impossible - arbitrary access to files/ libraries would be necessary.

On a system where you know what your interpreters will be doing at all times you can create a strict profile. But that would have to be on a per-system basis, creating a generic profile would be much weaker.

 

I didn't actually know of any off the top of my head because the only thing I use java for is NetBeans. But I looked around and found one. There is a BitTorrent client called Vuze that you can find quickly in google.

Enjoy!

 

Thanks, but I'll pass on that!

Bittorent is not an application I would ever use, and I'll take your word for it's needing unlimited access to the internet.

----
rich