[6025] in java-interest
Announcing the 1.0.1 release of the Java Developers Kit
daemon@ATHENA.MIT.EDU (Rachel Gollub)
Fri Mar 15 22:57:36 1996
Date: Fri, 15 Mar 1996 16:45:33 -0800
Reply-To: Java Interest <JAVA-INTEREST@JAVASOFT.COM>
From: Rachel Gollub <rmg@DOPPIO.ENG.SUN.COM>
To: Multiple recipients of list JAVA-INTEREST
<JAVA-INTEREST@JAVASOFT.COM>
March 15, 1996
JavaSoft
Sun Microsystems, Inc.
The Java Developer's Kit, version 1.0.1 (JDK 1.0.1) is now available
for downloading from http://java.sun.com. This release includes
fixes for the DNS-related bug and the classloader bug.
Information on how to download JDK 1.0.1 is found on
http://java.sun.com/download.html. Solaris/SPARC and Win32 versions
are available today. These bug fixes will be in the next Macintosh
beta release, which will be released soon. The full JDK 1.0.1 source
release will be available next week.
The DNS-related bug exploited the fact that in JDK 1.0, if an
incorrect IP address is returned on a dynamic DNS hostname lookup
performed by the applet security manager, then the security policy
that an applet can only connect to the host that it came from could be
circumvented. The DNS-related bug was described by researchers at
Princeton (http://www.cs.princeton.edu/~ddean/java) and in a CERT
advisory issued on March 5, 1996
(ftp://cert.org/pub/cert_advisories/CA-96.05.java_applet_security_mgr.)
The JDK 1.0.1 fix for the DNS-related bug is that the applet hostname
is looked up once via DNS, and from then on, the applet is allowed to
connect to only that numerical IP address. The implementation of the
fix includes rewriting the internal name/address cache to support the
fact that the internal code now uses the numerical IP address when it
tries to establish network connections. For more details on the fix,
refer to JDK 1.0.1 java.net.InetAddress and sun.applet.AppletSecurity.
The classloader bug exploits the fact that the class file verification
in JDK 1.0 was failing to reject class files that attempted to
reference absolute file names. The classloader performs checks on
class files loaded over the net, to verify that those class files
conform to the Java language constraints. The JDK 1.0 runtime was
failing to reject class files that had been tampered with to reference
a class name that begins with /. Ordinary operation of the javac
compiler will not create class files like this - these need to be
created by a malicious compiler, or by someone manually modifying a
.class file. Such class files should be rejected by the classloader,
since the class file should not be allowed to reference absolute path
names, but only path names relative to the application's CLASSPATH
environment variable. Note that in this context, 'application' refers
to the standalone application that incorporates a Java virtual
machine, such as the JDK appletviewer, or a Java-enabled web browser.
The classloader bug was described by David Hopwood,
http://sable.ox.ac.uk/~lady0065/java/bugs/tech.html.
The JDK 1.0.1 fix for the classloader bug is to check for and reject
any class files that attempt to reference absolute path names.
Refer to the applet security FAQ, http://java.sun.com/sfaq/, for more
information on what applets may and may not do. Also, refer to
http://java.sun.com/sfaq/verifier.html for more details on the lowest
levels of the Java security mechanisms.
