[692] in linux-security and linux-alert archive
[linux-alert] Yet Another Java Hole.
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Thu May 2 14:46:59 1996
Date: Thu, 2 May 1996 12:50:11 -0400
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu
Reply-To: linux-security@tarsier.cv.nrao.edu
Not Linux-specific, but there are enough Linuxers running Web browsers
to make this a potential threat to a large number of Linux systems.
--Up.
------- start of forwarded message (RFC 934 encapsulation) -------
Excerpted from RISKS 18.08.
- ------------
Date: Sun, 28 Apr 1996 03:42:49 +0000 (BST)
>From: David Hopwood <david.hopwood@lady-margaret-hall.oxford.ac.uk>
Subject: Another way to run native code from Java applets
In addition to the security bug found by Drew Dean, Ed Felten and Dan
Wallach in March, there is another way to run native code from a Java
applet, which will require a separate fix to the current versions of
Netscape (2.01 and Atlas PR2) and Sun's Java Development Kit (1.01).
Both this attack and the previous one rely on an applet being able to create
an instance of the same security-sensitive class, but each does so using an
independent hole in the bytecode verifier.
Once an applet is able to run native code, it can read, write, and execute
any local file, with the permissions of the browser. These attacks do not
require any additional preconditions, other than viewing the attacker's web
page with Java enabled. They can be done without the user's knowledge.
Summary of Java bugs found so far
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date Found by Fixed in Effects
- --------- ------ ---------- -------
Oct 30 95 DFW not fixed Various - see
in HotJava ftp://ftp.cs.princeton.edu/reports/1995/501.ps.Z
Feb 18 96 DFW/SG 1.01/2.01 Applets can exploit DNS spoofing to
connect to machines behind firewalls
Buffer overflow bug in javap
Mar 2 96 DH 1.01/2.01 win32/MacOS: Applets can run native code
UNIX: Ditto, provided certain files can
be created on the client
Mar 22 96 DFW not fixed Applets can run native code
Mar 22 96 EW not fixed If host names are unregistered, applets may be
able to connect to them
Apr 27 96 DH not fixed Applets can run native code
There was also a separate bug in beta versions of Netscape 2.0 which, in
hindsight, would have allowed applets to run native code.
[DFW = Drew Dean, Ed Felten, Dan Wallach
http://www.cs.princeton.edu/sip/News.html
SG = Steve Gibbons
http://www.aztech.net/~steve/java/
DH = David Hopwood
http://ferret.lmh.ox.ac.uk/~david/java/
EW = Eric Williams
http://www.sky.net/~williams/java/javasec.html
Dates indicate when the problem was first posted to RISKS, except for
Eric Williams' bug, which has not been posted.]
For bugs in Javascript, see John LoVerso's page
http://www.osf.org/~loverso/javascript/
These include the ability to list any local directory (apparently fixed
in Atlas PR2), and a new version of the real-time history tracker.
Additional information on the March 2nd absolute pathname bug is now
available from
http://ferret.lmh.ox.ac.uk/~david/java/
Recommended actions
~~~~~~~~~~~~~~~~~~~
Netscape (2.0beta*, 2.0, 2.01):
Disable Java (on all platforms except Windows 3.1x), and if possible
Javascript, using the Security Preferences dialogue in the Options menu.
Note that the section on security in the Netscape release notes is not
up-to-date.
Netscape (Atlas PR1, PR2):
As above, except that the options to disable Java and Javascript have
moved to the Languages tab in the Network Preferences dialogue.
Appletviewer (JDK beta*, 1.0, 1.01):
Do not use appletviewer to load applets from untrusted hosts.
HotJava (alpha*):
Sun no longer supports HotJava alpha, and does not not intend to fix
any of its security holes until a beta version is released.
David Hopwood david.hopwood@lmh.ox.ac.uk
------- end -------
