Radar Love: how classic rock helps to highlight Java problems

Java

3

Radar Love

From Wikipedia, the free encyclopaedia: “Radar Love” is a song by the Dutch rock band Golden Earring. Music critic Bill Lamb rates this among his “top 10 driving songs” due to its lyrics about driving all night and its pulse-quickening, up-tempo beat. The single version of “Radar Love” reached #13 in the US. It hit the top 10 in many countries, including the United Kingdom, Germany and Spain.

Now what does this all have to do with security at all, you may wonder? Everything: please keep reading!

Golden Earring

Every year I participate in the “Drum3Daagse” (3 days of drumming). The Drum3Daagse is hosted by Cesar Zuiderwijk, drummer of the Golden Earring (and still alive and seriously kicking). As a matter of fact, we had the 12th annual staging on the 9th, 10th and 11th of August this year with 72 drummers! You can find Cesar at the bottom arrow and me at the top arrow. A drink for when we meet next time for those that can spot other world-famous drummers, as there are several in the above picture. Send me an e-mail with their names and where they are on the picture.

As the song “Radar Love” became famous due to Cesar’s extremely good drum score and has been covered a zillion times, after the Drum3Daagse I went to “http://www.radar-love.net/”, a site dedicated to “Radar Love” and all its cover versions. A nice historical collage of this famous song.

On reaching the website, it turns out there is some Java code that wants to be run, nicely intercepted by Google Chrome.

 Radar Love

 

Careful person that I am, especially when it comes to accessing never-visited-before websites, I went there… BUT: on a machine that is dedicated to  research purposes and completely isolated from the corporate network and from my home networks!

Of course you, as a regular user with an awareness of security would already have cancelled rather than continuing on this webpage, right?  Ah, that is an issue: there are options to “Run this time”, “Always run on this site” and “Learn more”, but where do you cancel? There is of course the further option not to click anything, go to a different website (or close the browser)… But before you start to “gniffel” (chuckle) and gripe about Chrome, Internet Explorer also would have warned you…

 Internet Explorer Java

Of course, following Internet Explorers’ default suggestion will lead you to the official Java download page and when you want to download the latest version, you see another warning…

 Warning

After installing the latest version of Java, re-visiting the website will result in yet another warning:

Java_error

Now it is really intuitive that the cancel button is accessed via the “More Info” button, right?

Now regardless of the browser, if you allow the code to run, Java Security kicks in:

 Java Security Warning

 

Trying to learn more about this warning, of course you will click the “More Information” link.

More information

Now that is a clear message, clearly indicating I should NOT to run this application (it is my first time on this website), so of course I pressed “Cancel” (as would you, right?)

So when you did that, like I did, Java is “so polite” as to show that there was an error where you can actually click the box for details (and that image cannot be spoofed and misused, right?)

 Error

When you do look at the details, it will show you the Application Error box, which of course offers you the possibility of “Reloading” the potentially dangerous Java code(???).

Security Exception

What is of course bothersome here is that the community of security evangelists and experts tries to tell you that you should never run unsafe code. And here we have an example with clear warnings of potential risk, with the cancellation options almost completely hidden and with a “Reload” option appearing when you do manage to cancel the execution of this code.

It is almost like the lyrics of this sensational song:

No more speed, I’m almost there
Gotta keep cool now, gotta take care
Last car to pass, here I go

But then it’s a bit different:

No more tricks, I’m almost in
Gotta keep cool now, gotta take care
Last hurdle passed, here I go

I am sure that people that are tired, have been driving all night, finally are home and connecting to the internet, still with the buzz in their head…

I’ve been drivin’ all night, my hand’s wet on the wheel
There’s a voice in my head that drives my heel
It’s my baby callin’, says I need you here
And it’s a half past four and I’m shiftin’ gear
When she is lonely and the longing gets too much
She sends a cable comin’ in from above
Don’t need no phone at all

When I get lonely and I’m sure I’ve had enough
She sents her comfort comin’ in from above
We don’t need no letter at all
We’ve got a thing that’s called Radar Love
We’ve got a light in the sky
We’ve got a thing that’s called Radar Love

…may actually become victims of a Java attack.

Now they would not fall a victim to such an attack from the aforementioned “http://www.radar-love.net/”. The Java code there is innocent and run from their own website (82.150.137.74 points to their website, so it’s just a case of sloppy programming). But: that is the situation right now. Inexperienced users would never be able to figure out that the IP number is from that website and for attackers of course it is the perfect place – especially on popular websites – to hijack the code there and have it point to malicious code.

Educating the end-user frankly seems pointless when there are websites that are built so sloppily and where security warnings are confusing and even give the victim the option to reload potentially malicious code when they try to cancel. Java has been – and still is – one of the more problematic issues security-wise. To hope get rid of it completely is a Utopian dream. We even know of bank applications that require it and so their clients will not be able to discard it.

Ah yes… For those that are interested… The Java code in question is showing the lyrics of Radar Love in sequence. But there is no need to enable Java or load that code, if you are interested in the lyrics: all you have to do is please go here… If you are a drummer, the score of the original has been written down (6 pages) by Rob Kramer and can be found here (watch the Del Signo and Coda signs!)…

 

Author Righard Zwienenberg, ESET

  • Loek

    Next time “When the lady smiles” please

    • http://dharley.wordpress.com/ David Harley

      I’m working on something exploring the links between bootkits, Disraeli Gears, and Electric Ladyland. Maybe not.

  • http://www.bolee.com/ Dee Baig

    This issue highlights need for improvement in computing/IT. The end-user has very little information about how to deal with such issues. They are only interested in listening to the songs. They are not IT experts. They cannot be expected to know detailed IT issues. Authors of the website or their IT team should help end-user with these issues.

    DbaiG
    Bolee.com

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.