[18688] in bugtraq
Re: Windows Media Player 7 and IE java vulnerability - executing
daemon@ATHENA.MIT.EDU (TAKAGI, Hiromitsu)
Thu Jan 18 15:00:22 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-Id: <20010118205919.F1AC.TAKAGI@etl.go.jp>
Date: Thu, 18 Jan 2001 22:36:07 +0900
Reply-To: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
From: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A6320E2.A47FE44D@guninski.com>
On Mon, 15 Jan 2001 18:10:10 +0200
Georgi Guninski <guninski@GUNINSKI.COM> wrote:
> There is a security vulnerability in Windows Media Player 7
> exploitable thru IE and java which allows reading local files and
> browsing directories which in turn allows executing arbitratrary
> programs. This may lead to taking full control over user's computer.
> <APPLET CODEBASE="file://c:/" ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz"
> CODE="gjavacodebase.class" WIDTH=700 HEIGHT=300>
I think it does not allow execution of arbitrary programs.
My understanding is that Java applet launched with file: codebase will
be executed under the sandbox security restrictions. So this
vulnerability allows only reading of local files but not writing to
files nor executing external programs.
http://java.sun.com/sfaq/#diff
| What is the difference between applets loaded over the net and applets
| loaded via the file system?
| :
| Java-enabled browsers use the applet class loader to load applets
| specified with file: URLs. So, the restrictions and protections that
| accrue from the class loader and its associated security manager are
| now in effect for applets loaded via file: URLs.
--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/
