[Previous] [Next] [Index] [Thread]

CIAC Notes 96-01 on Java and JavaScript (forwarded excerpt)

For the record and FYI, here's what CIAC has to say about Java and
JavaScript vulnerabilities and Netscape 2.01.  (I'm not a spokesperson
for CIAC, so contact them or see http://ciac.llnl.gov/ for the full and
official version.)

-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Opinions expressed are not necessarily those of my employer.
--------------------------------------------------------------------------

| Date: Mon, 18 Mar 1996 18:02:47 -0800 (PST)
| From: fisher@bill.llnl.gov (John M. Fisher)
| Subject: CIAC Notes 96-01
| 
| 
| CIAC is sending this addition of CIAC Notes to the CIAC Bulletins list
| because of the high demand for information on Java and JavaScript
| vulnerabilities.
| 
|            ___  __ __    _     ___           __  __ __   __   __
|           /       |     /_\   /       |\ |  /  \   |    |_   /_
|           \___  __|__  /   \  \___    | \|  \__/   |    |__  __/
| 
| Number 96-01                                              March 18, 1996
| 
...
| 
| Please send your comments and feedback to ciac@llnl.gov.
| 
|   $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
|   $ Reference to any specific commercial product does not necessarily   $
|   $ constitute or imply its endorsement, recommendation or favoring by  $
|   $ CIAC, the University of California, or the United States Government.$
|   $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
| 
| =========================================================================
| 1)  Java and JavaScript Vulnerabilities
| =========================================================================
| 
| By John Fisher
| 
| Introduction
| - ------------
| 
| Over the past several weeks, a variety of reports have surface
| regarding security problems with Java and JavaScript. Java was
| developed by Sun Microsystems Incorporated, and JavaScript was
| developed by Netscape Incorporated. Java is available directly from
| Sun through the Java Development Kit. Both Java and JavaScript are
| supported with Netscape Navigator 2.0. Although similiar in name, and
| in some ways similiar in syntax, these two languages are vastly
| different in their usage. Accordingly, the security problems that have
| been reported are completely separate as well. This article maps out
| what problems have been reported and discusses the availability of
| solutions.
| 
| Java applications communicate easily across a network environment,
| particularly the Internet. Although not initially intended for this
| environment, Java became a natural mechanism for enhancing the
| usability and functionality of the World-Wide Web. With Java
| "applets," a Web site can provide functionality for its visitors that
| is not available with HTML code.
| 
| Java can be used in a variety of different capacities. A standard Java
| application can work stand-alone, providing functionality similar to
| other programming languages (i.e., file input/output, graphical
| interfaces, etc). When a Java application is made available on a Web
| site (via an HTML Web page), it is in the form of a Java applet. An
| applet is given definite restrictions on its capabilities. For
| example, a Java applet can not write files to a Web visitor's local
| disk drive, or contact an Internet site besides the server it was
| downloaded from. Java was supported with Netscape's Navigator 2.0,
| released in February.
| 
| JavaScript is also supported in Navigator 2.0. Originally named
| LiveScript, JavaScript code is placed directly in the text of an HTML
| document (as opposed to being referenced in the HTML, similar to how
| an image would be included, like Java does). For browsers that don't
| understand JavaScript, JavaScript code simply seems to be a comment in
| the HTML code. For Navigator 2.0, a JavaScript program can provide
| additional functionality for the Web page that can't be provided with
| just HTML. While JavaScript provides increased functionality, it is
| syntactically simpler and less powerful than Java.
| 
| Both Java and JavaScript have been developed with security in
| mind. Both were developed with considerable emphasis on preventing a
| Web site from gaining unintended access to a Web user's system or
| from performing actions on behalf of the Web user without the user's
| knowledge.
| 
| Unfortunately, as is common with new technologies, unanticipated
| security concerns have come to light. The next section addresses the
| latest security concerns for Java and the section following addresses
| security issues for JavaScript.
| 
| Java Problems
| - -------------
| The security problems reported about Java exist both in Netscape's
| Navigator 2.0 and in the Java Devlopment Kit 1.0 from Sun
| Microsystems. Solutions to both problems are provided below.
| 
| DNS Attack
| 
| In January, three students at Princeton University (Drew Dean, Ed
| Felten, and Dan Wallach) discovered a way to use Java to exploit a
| well-known Domain Name Service (DNS) vulnerability.
| 
| Note that this is not a vulnerability with Java, per se. It is really
| a vulnerability with DNS that Java does not check for.
| 
| DNS servers provide a means for translating between host names and IP
| addresses. For example, if a computer on the Internet were to initiate
| a connection to the machine ciac.llnl.gov, the local DNS server for
| that machine with resolve the host name as representing the IP address
| 128.115.19.53.
| 
| Java applets running under Sun's appletviewer or Netscape's Navigator
| 2.0 are only allowed to connect the host from which they
| originated. To allow an applet to connect to other hosts would be
| dangerous, as the applet would be acting on behalf of the user who
| downloaded the applet. Imagine downloading an applet from a Web site,
| only to find that the applet sent mail to another system, acting as
| you. What's worse, without this restriction, a Java applet would have
| all the access capabilities your machine does, including accessing
| hosts behind a firewall.
| 
| The problem occurs because Java does not completely verify that the
| information provided by the DNS server is accurate. Thus, if one can
| corrupt the DNS server, it is possible to trick a Java applet into
| accessing an arbitrary host. The potential for corrupting the
| information in DNS servers is a known problem. See, for example, CIAC
| Bulletin G-14, Domain Name Services Vulnerabilities.
| 
| CLASSPATH Attack
| 
| In February, David Hopwood of Oxford University made public another
| security problem with Java related to the loading of local class
| libraries.
| 
| Java provides a class loading capability which allows a Java applet
| to load a class either from the host it originated from or from the
| user's local system. Java applets residing on the user's local system
| are allowed special capabilities such as reading and writing files or
| executing processes. Either of these tasks can cause serious security
| problems if not used properly. But, for large Java applets connecting
| to recognized hosts, the additional functionality provided by placing
| class libraries on a local system may be warranted.
| 
| Ordinarily, an applet is restricted to loading applets from the
| directories specified in the environment variable CLASSPATH. However,
| Hopwood discovered a way to load class libraries from any readable
| directory on a user's system. This means that by placing a malicious
| class file and a dynamic library on the user's system, an attacker can
| open that system to attack.
| 
| JavaScript Problems
| - -------------------
| 
| Several different security problems have been identified with
| JavaScript as well. Some of these vulnerabilities existed only in the
| public beta distributions made available by Netscape Navigator
| 2.0. Others still were present in the final release. The various
| problems reported include the following:
| 
| (1) Reading a user's URL history list and transmitting it to a remote
| site.
| 
| (2) Reading a user's disk cache (containing URLs recently acquired by
| the Web browser) and sending the information to the Web server.
| 
| (3) Stealing the e-mail address of the Web user and forging an e-mail
| message with it.
| 
| (4) Obtaining a recursive listing of local disk directories.
| 
| (5) Logging all URL accesses made by a Web browser and transmitting
| the information to a remote system. 
| 
| Problems (1) and (2) were fixed in the final release of Netscape
| Navigator 2.0. The other problems were fixed in the latest release,
| described below.
| 
| Solutions
| - ---------
| 
| Netscape solution
| 
| In late Februrary, Netscape made a patch available to solve the DNS
| server problem.
| 
| On March 14, Netscape released Navigator 2.01, which fixed all of the
| vulnerabilities described above. It can be found at:
| 
|      http://home.netscape.com
| 
| Sun Microsystems solution
| 
| On March 15, Sun released Java Development Kit 1.0.1, which fixed all
| of the vulnerabilities described above. It can be found at:
| 
|     http://java.sun.com
| 
...