[2226] in WWW Security List Archive
YA Java security bug: Hopwood two-host attack (1 June 96)
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Fri Jun 7 18:12:32 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: www-security@ns2.rutgers.edu
Date: Fri, 7 Jun 1996 15:05:30 -0500 (CDT)
Errors-To: owner-www-security@ns2.rutgers.edu
Forwarded from RISKS Digest 18.18.
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-------------------------- Forwarded message --------------------------
Date: Sun, 2 Jun 1996 07:46:20 +0000 (BST)
From: David Hopwood <david.hopwood@lady-margaret-hall.oxford.ac.uk>
Subject: Another Java attack
There is another serious security bug in the class loading code for all
currently available Java browsers:
Netscape up to versions 2.02 and 3.0beta4 (except Windows 3.x)
Oracle PowerBrowser for Win32
HotJava 1.0beta
'appletviewer' from the Java Development Kit up to version 1.0.2
Sun, Netscape, and Oracle have been sent details of the problem (which is
partly related to the ClassLoader attack found by Drew Dean, et al. in
March). The attack works by exploiting a design flaw in the mechanism that
separates JVM classes into different namespaces.
Using this bug, an attacker can bypass all of Java's security restrictions.
This includes reading and writing files, and executing native code on the
client with the same permissions as the user of the browser.
The only way to avoid this problem at the moment is to disable Java. For
more details see
http://ferret.lmh.ox.ac.uk/~david/java/bugs/
Technical details will be posted when Sun, Netscape, and Oracle release
patches.
David Hopwood david.hopwood@lmh.ox.ac.uk http://ferret.lmh.ox.ac.uk/~david/
