[1936] in WWW Security List Archive
Java/Netscape security holes: hole du jour and summary
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Tue Apr 30 21:00:15 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: www-security@ns2.rutgers.edu
Date: Tue, 30 Apr 1996 10:31:42 -0500 (CDT)
Errors-To: owner-www-security@ns2.rutgers.edu
Forwarded from RISKS Digest 18.08.
Note that Netscape Navigator 3.0b is out now, with no indication that
Java holes found in 2.01 have been closed in 3.0b. See:
http://www.mcom.com/comprod/products/navigator/version_3.0/index.html
http://home.netscape.com/eng/mozilla/3.0/relnotes/unix-3.0b3.html
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
--------------------------------------------------------------------------
| Date: Sun, 28 Apr 1996 03:42:49 +0000 (BST)
| From: David Hopwood <david.hopwood@lady-margaret-hall.oxford.ac.uk>
| Subject: Another way to run native code from Java applets
|
| In addition to the security bug found by Drew Dean, Ed Felten and Dan
| Wallach in March, there is another way to run native code from a Java
| applet, which will require a separate fix to the current versions of
| Netscape (2.01 and Atlas PR2) and Sun's Java Development Kit (1.01).
|
| Both this attack and the previous one rely on an applet being able to create
| an instance of the same security-sensitive class, but each does so using an
| independent hole in the bytecode verifier.
|
| Once an applet is able to run native code, it can read, write, and execute
| any local file, with the permissions of the browser. These attacks do not
| require any additional preconditions, other than viewing the attacker's web
| page with Java enabled. They can be done without the user's knowledge.
|
| Summary of Java bugs found so far
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Date Found by Fixed in Effects
| --------- ------ ---------- -------
| Oct 30 95 DFW not fixed Various - see
| in HotJava ftp://ftp.cs.princeton.edu/reports/1995/501.ps.Z
| Feb 18 96 DFW/SG 1.01/2.01 Applets can exploit DNS spoofing to
| connect to machines behind firewalls
| Buffer overflow bug in javap
| Mar 2 96 DH 1.01/2.01 win32/MacOS: Applets can run native code
| UNIX: Ditto, provided certain files can
| be created on the client
| Mar 22 96 DFW not fixed Applets can run native code
| Mar 22 96 EW not fixed If host names are unregistered, applets may be
| able to connect to them
| Apr 27 96 DH not fixed Applets can run native code
|
| There was also a separate bug in beta versions of Netscape 2.0 which, in
| hindsight, would have allowed applets to run native code.
|
| [DFW = Drew Dean, Ed Felten, Dan Wallach
| http://www.cs.princeton.edu/sip/News.html
| SG = Steve Gibbons
| http://www.aztech.net/~steve/java/
| DH = David Hopwood
| http://ferret.lmh.ox.ac.uk/~david/java/
| EW = Eric Williams
| http://www.sky.net/~williams/java/javasec.html
|
| Dates indicate when the problem was first posted to RISKS, except for
| Eric Williams' bug, which has not been posted.]
|
| For bugs in Javascript, see John LoVerso's page
| http://www.osf.org/~loverso/javascript/
| These include the ability to list any local directory (apparently fixed
| in Atlas PR2), and a new version of the real-time history tracker.
|
| Additional information on the March 2nd absolute pathname bug is now
| available from
| http://ferret.lmh.ox.ac.uk/~david/java/
|
| Recommended actions
| ~~~~~~~~~~~~~~~~~~
| Netscape (2.0beta*, 2.0, 2.01):
| Disable Java (on all platforms except Windows 3.1x), and if possible
| Javascript, using the Security Preferences dialogue in the Options menu.
| Note that the section on security in the Netscape release notes is not
| up-to-date.
|
| Netscape (Atlas PR1, PR2):
| As above, except that the options to disable Java and Javascript have
| moved to the Languages tab in the Network Preferences dialogue.
|
| Appletviewer (JDK beta*, 1.0, 1.01):
| Do not use appletviewer to load applets from untrusted hosts.
|
| HotJava (alpha*):
| Sun no longer supports HotJava alpha, and does not not intend to fix
| any of its security holes until a beta version is released.
|
| David Hopwood david.hopwood@lmh.ox.ac.uk
