amusement

Here's a slick little sight to test out the vulnerabilites on your web browser. When I tested mine; I discovered my java was too old. I updated it and all was fine. PS: try Firefox browser for general use...it's more secure than IE. bccheck.scanit.be

This ad is not displayed to registered members. Register your free account today and become a member on Yotatech!

kronicx

OS X running Safari:

High Risk Vulnerabilities - 0
Medium Risk Vulnerabilities - 0
Low Risk Vulnerabilities - 0

__________________
Matt

2003 V8 Titanium Limited 4x4 X-REAS

Corey

IE 6

Browser Security Test Results
Dear Customer,

The Browser Security Test is finished. Please find the results below:

High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

__________________
Corey 2007 FJ Cruiser
Built for 4wheelin', expedition, camping, and overlanding use
PNW FJ Cruisers ☺ Detailing 101 ☺ Join Topsites ☺ Muffler Comparisons ☺ Maggiolinas In The Wild
FJ Cruiser Buildup ☺ New Roof Top Tent ☺ Video Of My Penthouse Part II ☺ Rehinge Your ARB/Engel Fridge
Blog About Roof Top Tents ☺ FJC Magazines Online Review Of My Tent ☺ 2009 Specialized Rockhopper Pro

tulsa_97SR5

Dear Customer,

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 1
Low Risk Vulnerabilities 0

The vulnerability it said I have?

Shell: protocol is handled by Windows Explorer. It apears that it is possible to open local files and folders from a web page using the shell: protocol URLs. For example "shell:windows" URL will open the Windows directory. On Windows XP it is also possible to start local programs, for example "shell:windows\system32\calc.exe" will start Calculator.

funny thing is I run linux, I think the error message Opera popped up fooled the test into thinking it had opened a browser window.

__________________
Brian
85 sr5, 5spd - back on the road, doing DD duty for now
86 2wd reg cab - future project
90 sr5, 97 - gone

midiwall

Excellent find. I updated the JRE and am clean.

Thanks man!

__________________
~ Mark
'96 4Runner Limited S/C MI - 370cc injectors, Air! horns, Airaid MIT, ATS A-arms, 285/75/R16 BFG MTs, Bored TB, Brembo slotted, Cobra 75 WXST, Deckplate, Downey headers, Hayden cooler, IPT valve body, Level 10 torque convertor, Meanstreak exhaust, OME/OME rears, On-board PC (XM, Nav, WiFi, etc), Port 'n Polish, Remote Start, SAW fronts, Hilux console, SMT-5, Stubb's sliders, Supra MAF, TJM-17, 2.0" pulley, Viair 450c, Walbro 190, Weasy2k cams

Amir904

Firefox:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

__________________
07 4runner 4.7 SR5
98 4runner 3.4 SR5
87 FJ60

arjan

Firefox:
High Risk Vulnerabilities 1

I had to update my jre also. Something about a script leaving a sandbox :-)

__________________
2006 4Runner V8 Sports Edition
Red 1997 4Runner 3.4L Bushwacker Flares, 5spd, E locker

amusement

Opera and a few other web browsers have an option to 'fake' being another type of browser like internet explorer. IE offers a viewing of loose HTML standards while Mozillia Firefox views HTML web pages in strict form. There's an extension that allows IE to be opened from firefox if a web page starts to look bad.

ewarnerusa

I can't kick this one. I followed the directions and updated java but still can't shake it. What is it?

Browser name: MSIE
Version: 6.0
Platform: Windows NT 5.1

Browser Security Test Results
Dear Customer,

The Browser Security Test is finished. Please find the results below:

High Risk Vulnerabilities 1
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

High Risk Vulnerabilities
Sun Java Plugin Arbitrary Package Access Vulnerability (idef20041123)
Description
Java Plugin allows web browsers to run Java applets. Java plugin may be used by Internet Explorer, Mozilla (and Mozilla-base browsers, such as Firefox), Opera and other browsers.

When a browser opens a web page that contains a Java applet the browser automatically downloads the applet and runs it locally. To protect the user from malicious applets all the applets run in so called "sandbox". The sandbox restricts what an applet can do. For example, the sandbox will not allow an applet to open local files or start programs.

This bug in Sun Java Plugin allows a web site to bypass the sandbox and execute Java code that the sandbox will normally not allow and possibly gain control over the client computer.

Technical Details
Sun Java Virtual Machine contains sun.* packages that are only supposed to be used internally, by the virtual machine itself. Some private classes allow direct access to memory or modifying private fields of Java objects. If an applet attempts to load one of those packages a security exception is thrown. If an applet could load those classes it could turn off Java Security Manager and break out of Java sandbox.

JavaScript can access properties and methods of Java applets embedded on the page. It is possible to load a private package from JavaScript as shown in the code below:


var c=document.applets[0].getClass().forName('sun.text.Utility');
alert('got Class object: '+c)
Java Reflection API allows objects to examine their own structure (for example, find out the class of the object or the available methods). Reflection API defines getClass() function that returns the object's class. forName method of Class object loads the named class. The same operation done from the Java applet instead of JavaScript would fail.

Recommendations
Upgrade Java Environment to version 1.4.2_06 or later. It can be downloaded from http://java.sun.com/j2se/1.4.2/download.html

Additional Information

Jouko Pynnonen. Sun Java Plugin arbitrary package access vulnerability

__________________
Pics - 2003 Toyota Tacoma Xtracab TRD 4x4 Imperial Jade

Scofco

WinXP + IE6.0 = 0-0-0

__________________

WATRD

IE6 XP SP2

High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

__________________
-Rob
Slightly Modified 2001 Tacoma - WATRD.COM
WATTORA is becoming NWToys!
Tread Lightly! certified Tread Trainer


Search 100+ Toyota tech sites, including this one: Toyota Tech Search

midiwall

Did you download and install the upgrade?

If so, then to get it to "take", you have to back all the way out of IE and get the JRE (Java Runtime Engine) to shutdown. You can check this by noting if you still have the "coffee cup" sitting in your systray. If you do, then something is keeping it open, and you may have to restart Windows.

Once you restart IE, then come into the test page, and note if you have the coffee cup again. Right click on it, pick "about", and then note the version number. It should be 1.4.2_06. If it's not, then something didn't "take" from the install and you'll have to try again. If you tried the network install (the <2meg download) then try the standalone install.

If the coffee cup _never_ shows in the systray, then you're not running the JRE. To set this up, from IE go to:

• Tools
• Internet options
• Advanced
• Scroll down to the section "Java (Sun)" (it should be just after "HTTP 1.1 Settings")
• Check the box "Use Java 2 v1.4.2_06..."
• Click OK
• Restart

That should get you up on the JRE.

__________________
~ Mark
'96 4Runner Limited S/C MI - 370cc injectors, Air! horns, Airaid MIT, ATS A-arms, 285/75/R16 BFG MTs, Bored TB, Brembo slotted, Cobra 75 WXST, Deckplate, Downey headers, Hayden cooler, IPT valve body, Level 10 torque convertor, Meanstreak exhaust, OME/OME rears, On-board PC (XM, Nav, WiFi, etc), Port 'n Polish, Remote Start, SAW fronts, Hilux console, SMT-5, Stubb's sliders, Supra MAF, TJM-17, 2.0" pulley, Viair 450c, Walbro 190, Weasy2k cams

ewarnerusa

yeah, like i said I upgraded java following the directions. i tried both the upgrade files when the first one didn't "take". both upgrades were around 100mb size, nothing was under 2mb. thankfully I've got broadband at home. I rebooted both times after performing the update, ran the browser test before and after reboots. Still have a "high risk"..... I'll try the directions you gave about checking the java version, but I don't see why it didn't take. I do get the coffee cup in the sys tray when there's java going on, but it is not something I ever mess with on my own.

__________________
Pics - 2003 Toyota Tacoma Xtracab TRD 4x4 Imperial Jade

GRNTACO

Dear Customer,

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 1
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

What the...............I am at work. I would think things would be safe.

High Risk Vulnerabilities
Sun Java Plugin Arbitrary Package Access Vulnerability (idef20041123)
Description

Java Plugin allows web browsers to run Java applets. Java plugin may be used by Internet Explorer, Mozilla (and Mozilla-base browsers, such as Firefox), Opera and other browsers.

When a browser opens a web page that contains a Java applet the browser automatically downloads the applet and runs it locally. To protect the user from malicious applets all the applets run in so called "sandbox". The sandbox restricts what an applet can do. For example, the sandbox will not allow an applet to open local files or start programs.

This bug in Sun Java Plugin allows a web site to bypass the sandbox and execute Java code that the sandbox will normally not allow and possibly gain control over the client computer.
Technical Details

Sun Java Virtual Machine contains sun.* packages that are only supposed to be used internally, by the virtual machine itself. Some private classes allow direct access to memory or modifying private fields of Java objects. If an applet attempts to load one of those packages a security exception is thrown. If an applet could load those classes it could turn off Java Security Manager and break out of Java sandbox.

JavaScript can access properties and methods of Java applets embedded on the page. It is possible to load a private package from JavaScript as shown in the code below:

var c=document.applets[0].getClass().forName('sun.text.Utility');
alert('got Class object: '+c)

Java Reflection API allows objects to examine their own structure (for example, find out the class of the object or the available methods). Reflection API defines getClass() function that returns the object's class. forName method of Class object loads the named class. The same operation done from the Java applet instead of JavaScript would fail.
Recommendations

Upgrade Java Environment to version 1.4.2_06 or later. It can be downloaded from http://java.sun.com/j2se/1.4.2/download.html

Looks like an easy fix..............

__________________
Ben

GRNTACO

How about for Firefox?

__________________
Ben

midiwall

100meg? Ummm, maybe you pulled the SDK and not just the JRE? It still should have worked though... The network install is 1.3meg as it sits on my drive here.

The file is named "j2re-1_4_2_06-windows-i586-p-iftw.exe", and it comes from:

• http://java.sun.com/j2se/1.4.2/download.html
• Click on "Download J2SE JRE"
• Accept the license agreement
• Pick "Windows Installation, Multi-language"

Okay, it may be time to mess with the coffee cup.

When you get a chance, do the right_click, then pick "about" and check the version number. Let's start from there and see what you're working with before we come up with a plan of attack.

__________________
~ Mark
'96 4Runner Limited S/C MI - 370cc injectors, Air! horns, Airaid MIT, ATS A-arms, 285/75/R16 BFG MTs, Bored TB, Brembo slotted, Cobra 75 WXST, Deckplate, Downey headers, Hayden cooler, IPT valve body, Level 10 torque convertor, Meanstreak exhaust, OME/OME rears, On-board PC (XM, Nav, WiFi, etc), Port 'n Polish, Remote Start, SAW fronts, Hilux console, SMT-5, Stubb's sliders, Supra MAF, TJM-17, 2.0" pulley, Viair 450c, Walbro 190, Weasy2k cams

GRNTACO

Here is my IE at work

Dear Customer,

The Browser Security Test is finished. Please find the results below:

High Risk Vulnerabilities 2
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0


WTF!!!!


High Risk Vulnerabilities
Sun Java Plugin Arbitrary Package Access Vulnerability (idef20041123)
Description
Java Plugin allows web browsers to run Java applets. Java plugin may be used by Internet Explorer, Mozilla (and Mozilla-base browsers, such as Firefox), Opera and other browsers.

When a browser opens a web page that contains a Java applet the browser automatically downloads the applet and runs it locally. To protect the user from malicious applets all the applets run in so called "sandbox". The sandbox restricts what an applet can do. For example, the sandbox will not allow an applet to open local files or start programs.

This bug in Sun Java Plugin allows a web site to bypass the sandbox and execute Java code that the sandbox will normally not allow and possibly gain control over the client computer.

Technical Details
Sun Java Virtual Machine contains sun.* packages that are only supposed to be used internally, by the virtual machine itself. Some private classes allow direct access to memory or modifying private fields of Java objects. If an applet attempts to load one of those packages a security exception is thrown. If an applet could load those classes it could turn off Java Security Manager and break out of Java sandbox.

JavaScript can access properties and methods of Java applets embedded on the page. It is possible to load a private package from JavaScript as shown in the code below:


var c=document.applets[0].getClass().forName('sun.text.Utility');
alert('got Class object: '+c)
Java Reflection API allows objects to examine their own structure (for example, find out the class of the object or the available methods). Reflection API defines getClass() function that returns the object's class. forName method of Class object loads the named class. The same operation done from the Java applet instead of JavaScript would fail.

Recommendations
Upgrade Java Environment to version 1.4.2_06 or later. It can be downloaded from http://java.sun.com/j2se/1.4.2/download.html

Additional Information

Jouko Pynnonen. Sun Java Plugin arbitrary package access vulnerability

Internet Explorer Modal Dialog Argument Caching Cross-Domain Scripting Vulnerability (jel20040607)
Description
This bug allows a malicious web page to execute any programs on your computer. A malicious hacker can take complete control over your computer using this bug. The bug can be exploited by a web page you browse or HTML email mesage you open.

This bug was discovered "in the wild" and is used by malicious web sites to install adware on visitors' computers.

Technical Details
This cross-domain scripting vulnerability allows executing JavaScript code in the context of any domain. Combined with other Internet Explorer vulnerabilities it allows executing code in Local Computer security zone, leading to installation and execution of arbitrary programs.

First a malicious page creates an IFRAME pointing that redirects to a page in the target domain (or Local Computer zone). Then a modal dialog is created and the reference to the IFRAME is passed to the dialog in dialogArguments parameter of showModalDialog function.

The modal dialog caches the reference to the IFRAME and waits until IFRAME's domain changes due to the redirect. Then the dialog page closes itself and returns the cached reference.

The original page receives the window reference from the modal dialog and changes the location of this window to a javascript: URL. The JavaScript code gets executed in the context of the domain to which the IFRAME was redirected.

Recommendations
We recommend using Windows Update to correct this problem.

Additional Information

Rafel Ivgi, The-Insider. 180 Solutions Exploits and Toolbars Hacking Patched Users. NTBugTraq Posting.
Jelmer. Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)
Microsoft Security Bulletin MS04-025

__________________
Ben

midiwall

It should happen automagically. The additional steps for IE come from MS having their own Java VM.

Are you getting the coffee cup in the systray after when you're on the test site? If so, then you're running Sun's JRE..

If you never get the coffee cup, then: (ewarnerusa you may want to look here as well):

• Start Button
• Programs
• Java Web Start
• Java Web Start
• File | Preferences | General
• Make sure Proxies = None
• Click Java
• Note that the 1.4.2_06 version is listed, and it should be "enabled". If not, select "enabled", then "OK". It's okay if something else is there as well.
• (the coffee cup should also be up in the systray)
• Right_Click on coffee cup
• Pick "Open Control Panel"
• Pick "Browser"
• Select all of them
• Click Apply (you may get an error for NS and Moz)
• Close the console

Give that a shot.

__________________
~ Mark
'96 4Runner Limited S/C MI - 370cc injectors, Air! horns, Airaid MIT, ATS A-arms, 285/75/R16 BFG MTs, Bored TB, Brembo slotted, Cobra 75 WXST, Deckplate, Downey headers, Hayden cooler, IPT valve body, Level 10 torque convertor, Meanstreak exhaust, OME/OME rears, On-board PC (XM, Nav, WiFi, etc), Port 'n Polish, Remote Start, SAW fronts, Hilux console, SMT-5, Stubb's sliders, Supra MAF, TJM-17, 2.0" pulley, Viair 450c, Walbro 190, Weasy2k cams

ewarnerusa

yeah, i definitely downloaded the top two downloads when you click that link. The "SDK" ones. When I get home I guess I can try the smaller JRE only one and see if it takes. Thanks for the help!

EDIT: should I uninstall the java's first before trying again?

__________________
Pics - 2003 Toyota Tacoma Xtracab TRD 4x4 Imperial Jade

ewarnerusa

I definitely get coffee cups. the cup comes up during the test, I believe, too.

__________________
Pics - 2003 Toyota Tacoma Xtracab TRD 4x4 Imperial Jade

midiwall

Sorry, I think I confused the situation. What I meant is that you may want to look in the console as well to be sure that "Internet Explorer" is checked in the JRE.

And... it wouldn't hurt to uninstall the SDK before installing the JRE. It's more of a "just to be sure" type thing, but it will also save you a bunch of disk space.


Good luck!

__________________
~ Mark
'96 4Runner Limited S/C MI - 370cc injectors, Air! horns, Airaid MIT, ATS A-arms, 285/75/R16 BFG MTs, Bored TB, Brembo slotted, Cobra 75 WXST, Deckplate, Downey headers, Hayden cooler, IPT valve body, Level 10 torque convertor, Meanstreak exhaust, OME/OME rears, On-board PC (XM, Nav, WiFi, etc), Port 'n Polish, Remote Start, SAW fronts, Hilux console, SMT-5, Stubb's sliders, Supra MAF, TJM-17, 2.0" pulley, Viair 450c, Walbro 190, Weasy2k cams

ewarnerusa

MIDIWALL
I'm all set now, I installed the JRE file this time and reran the test with 0-0-0 results. Thanks for the help. My sys tray coffee cup is blue now instead of white.

__________________
Pics - 2003 Toyota Tacoma Xtracab TRD 4x4 Imperial Jade

GRNTACO

My Laptop

Firefox

Dear Customer,

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

IE6

Dear Customer,

The Browser Security Test is finished. Please find the results below:

High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

__________________
Ben

midiwall

Right on!


Ben, it looks like you're set as well. Cool!

__________________
~ Mark
'96 4Runner Limited S/C MI - 370cc injectors, Air! horns, Airaid MIT, ATS A-arms, 285/75/R16 BFG MTs, Bored TB, Brembo slotted, Cobra 75 WXST, Deckplate, Downey headers, Hayden cooler, IPT valve body, Level 10 torque convertor, Meanstreak exhaust, OME/OME rears, On-board PC (XM, Nav, WiFi, etc), Port 'n Polish, Remote Start, SAW fronts, Hilux console, SMT-5, Stubb's sliders, Supra MAF, TJM-17, 2.0" pulley, Viair 450c, Walbro 190, Weasy2k cams

CynicX

high - 0
medium - 0
low - 0

I had a java problem i took care off....

__________________
06 Subaru WRX