Security warning pop-up, please help

Discussion in 'other security issues & news' started by emmjay, Dec 19, 2011.

Thread Status:
Not open for further replies.
  1. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    I am receiving a security warning pop-up when I open Chrome and I do not know why I am receiving it. It is for an appl. digital signature that has encountered an error (I think UAC is sending me the security warning). I have included 3 screen-shots.

    I googled the address that is stated in the popup and it is from a Campus network in the USA (WOT is green). I have never heard of this university and I am not a member of any campus networks in Canada, so I am lost as to why I am receiving it. I select cancel but it comes back everytime I open Chrome. It wants to RUN something on my computer and I do not know what that is.

    How do I determine what application it wants to run, or is associating itself with? I am at a loss.
     

    Attached Files:

  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    This is certainly not UAC, perhaps it's a Java applet and Java warns the certificate has expired?
     
  3. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    OK, If it is Java (that's good to know)...
    I do not use the University Campus Network nor have I ever tried to access the University's webpage over the internet prior to receiving this security warning. Why do they want to run a Java applet for their website on my computer?
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Hmm.. Really weird, I misread your first post and thought you were on the campus network, but you're not. Does it stay the same if you set your homepage to something other than google.ca? And could you post a screen of the More Information pop-up?(it is on your second screenshot, but the Certificate details are blocking the view.) You can also run Process explorer(http://technet.microsoft.com/en-us/sysinternals/bb896653) to check if you seen any weird processes running(e.g. random name etc.) and if Java is running when you get the pop-up.
     
  5. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    I do not get the security pop-up if I open Firefox. I tried another home page on Chrome and I get it. The Java icon appears when I open Chrome. Here is the screen shot you asked for ...
     

    Attached Files:

  6. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    I contacted the University's Help Desk and asked them to look into it. They opened a ticket and got back to me just 1 hour ago. This was their response...

    Hello Sir:

    We didn't sign this. We haven't signed any code or app certificates year to date. We can't see the whole serial number from your screenshot; do you still have it? We'd like to trace where this came from and report it to the CAs.


    I sent the serial number, so hopefully the problem will get resolved this way. I guess it could be dangerous code.

    Thank you for all your help.
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Still weird that it only does this on Chrome :S
     
  8. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    Yes I agree. Maybe Chrome has its own unique way of handling Java applets. It is supposed to have more built-in security features ... maybe this is one of them.
    You led me to Java and out of curiosity I opened the Java console and it showed that no applets were run from plugins, however when I opened the Java Control Panel and looked in Security/Certificates there was the 'University's' certificate listed under trusted certificates. I have included a screen shot. Short list eh?

    I'd love to know how and why it zoomed in on my PC.
     

    Attached Files:

  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Really strange. Have you received a reply yet from the University's Helpdesk?
    Hopefully there is some more knowledgeable user here who can help you further.
     
  10. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    I have not heard back from the University since they confirmed that the certificate is phony.

    I really would appreciate it if someone with some knowledge in this area could lend a hand. In my last screenshot you can see the certificate in the trusted list and when I select it and hit REMOVE, it gets removed. I rebooted and took another look ... it was gone. I started Chrome and Java brought it back!

    I am beginning to think that I may have a trojan on my PC. I have run MBAM and MSE scans (both run clean). There is nothing I have to send to a virus checker! I have no idea what I should do next.
     
  11. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    I heard back from the University ... just a few minutes ago. They are not associated with the certificate and warn me not to install it.
    I did some investigation on my own and have determined that the certificate may have been issued by an add-on that I have on Chrome that I do not have on FF. The add-on is 'Perspectives' and they appear to be associated in some way with the same University. Their address is a slight bit different. I have asked the Help desk if they would check into this before closing the ticket.
     
    Last edited: Dec 26, 2011
  12. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    What helpdesk did you have contact with?
    I'd contact one of the devs from 'Perspectives' (perspectives(at)cs.cmu.edu) which has been developed at CMU/Carnegie Mellon Uni. link
    On Firefox, I still have one particular issue; when using their own build-in function for sending them info in case of a problem or to 'report an attack', I'll get a warning immediately that their own cert (valid for the name networknotary.org) doesn't match the report.networknotary.org name. link
    Perhaps your Chrome issue is related? (-edit; Although your screenshots show that the issue is an expired certificate).
    Still, I'd be careful and make sure this isn't some fake 'Perspectives' Chrome add-on. Perhaps better uninstall it until you get an OK or an explanation from one of the devs.
     
    Last edited: Dec 26, 2011
  13. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    Thank you for your reply. To reach the Help Desk on the campus network, I opened the website stated in the certificate and clicked on the 'contact us'. They automatically issued a trouble ticket. As far as 'Perspectives' is concerned, I downloaded it from the Chrome add-ons list (not directly from a browser search result)...I assumed that this list was a safe list (no?). However, I will follow your advise and contact Perspectives devs and see what they have to say.
     
  14. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Not sure to what extent chrome extensions are actually vetted but to me it does look legit.
    Reading the user reviews at chrome.google.com/webstore shows that you are not the only one experiencing the 'license expired' issue;
    '20 dec 2011. Lately it hasn't been working, and now that the security certificate has expired I'm not loading it anymore.' link
    Hopefully this will get fixed soon, comes over as rather sloppy.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There's no vetting process at all, AFAIK. Unless something changed recently.

    @ emmjay

    I was actually going to ask you to disable all Chrome extensions, and see if the warning would still appear, but you figured it out on your own.

    I never used Perspectives, so I'm not sure how it truly works, but is it normal for it to try and run Java applets?
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    The thought of Chrome not having a vetting process for extensions absolutely floors me, yet the more I search for info on that subject, the more I encounter what m00nbl00d has said... there is no vetting process.

    I don't want to go too far OT, and can start another thread if need be, but I'd like to add a tidbit I received a few months ago from a Google Developer Advocate and member of the privacy team, Mike West.
    I had emailed him about an article of his and I asked about extension vetting.
    He replied that the question was more appropriate for the security team, but he did say this much about the vetting process for extensions...
    I know that this isn't very detailed and certainly isn't conclusive, but in my opinion, it at least does counter the "no vetting process" statement.

    I hope to find out more, and apologize for the somewhat OT post.
     
  17. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    I did not know that the extensions were not vetted. Thank you for this information. It is amazing how one problem can teach you so much about so many other things. I have not heard back from the developers at Perspectives, so to be safe I disabled the extension. On having read your post, I think you hit the nail on the head ... is it normal for this extension to try to run Java applets and why.

    I took another look at Wiki's blurb on Java applets and this one stood out...
    Some studies mention applets crashing the browser or overusing CPU resources but these are classified as nuisances[41] and not as true security flaws. However, unsigned applets may be involved in combined attacks that exploit a combination of multiple severe configuration errors in other parts of the system.[42] An unsigned applet can also be more dangerous to run directly on the server where it is hosted because while code base allows it to talk with the server, running inside it can bypass the firewall. An applet may also try DoS attacks on the server where it is hosted but usually people who manage the web site also manage the applet, making this unreasonable. Communities may solve this problem via source code review or running applets on a dedicated domain.[43][44]

    The unsigned applet can also try to download malware hosted on originating server. However it could only store such file into temporary folder (as its transient data) and has no means to complete the attack by executing it. There were attempts to use applets for spreading Phoenix and Siberia exploits this way,[citation needed] while these exploits do not use Java internally and were also distributed in several other ways.

    Not sure that this is the case here, but it sure is disconcerting to say the least.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There is very limited vetting for Chrome extensions that I know of. I'm going to try to contact the security team and really see what they have to say about it.

    EDIT: Sent. >_> Not sure that was the right email though lol
     
    Last edited: Dec 31, 2011
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Thread on Chrome extension vetting started here so as to not hijack this thread. :)
     
  20. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    The Developer from Perspectives sent me this response today...
    The Chrome extension does indeed use a Java applet. It is used to fetch
    the website's certificate since Chrome does not provide APIs to do so
    (compared to FF). But this approach has compatibility issues with
    different versions of Java and on different OS'.

    The certificate used to sign the java applet has expired which is causing
    the error message you see to pop up. The chrome extension was a proof of
    concept port from the FF extension and I am not sure if we have the
    resources to renew the certificate. If we decide not to renew the CA
    issued certificate I can update the applet with a self signed certificate.


    I found this info in the Java cache viewer...
    commons-codec-1.4.jar/user/dd/commons-codec-1.4.jar ww.andrew.cmu.edu/user/dd/perspectives-0.5.jar

    So it is a codec. I am not knowledgeable enough to understand why they want to write a codec on my system, so I have decided to remove this extension (rather than just have it disabled) from my Chrome browser. HTML stuff is totally beyond me.

    Thank you to everyone who responded. I very much appreciate it.
    I'll follow the newly created thread on Vetting Extensions ... peace to all.
     
  21. x942

    x942 Guest

    Thankfully java can easily be reverse engineered in it's .jar form. I will grab a copy from the add-on and see what it's doing. I'm sure it's safe. Perspectives is pretty reputable. :thumb:
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You're welcome. In the thread user Page42 mentioned, you'll see why I say there's no vetting process. But, resuming, either there isn't one or it's a rather weak one, which is the same as not having it. :ouch:
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Chrome's "vetting process" is basically a way to see what site is connected to the extension. At that point you can go check the site out yourself and see how trustworthy it is.

    If there is anything going on in the background I don't know about it and there doesn't seem to be much information.
     
Loading...
Thread Status:
Not open for further replies.