[Previous] [Next] [Index]
[Thread]
Java/Netscape security holes: hole du jour and summary
Forwarded from RISKS Digest 18.08.
Note that Netscape Navigator 3.0b is out now, with no indication that
Java holes found in 2.01 have been closed in 3.0b. See:
http://www.mcom.com/comprod/products/navigator/version_3.0/index.htm
http://home.netscape.com/eng/mozilla/3.0/relnotes/unix-3.0b3.htm
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
--------------------------------------------------------------------------
| Date: Sun, 28 Apr 1996 03:42:49 +0000 (BST)
| From: David Hopwood <david.hopwood@lady-margaret-hall.oxford.ac.uk>
| Subject: Another way to run native code from Java applets
|
| In addition to the security bug found by Drew Dean, Ed Felten and Dan
| Wallach in March, there is another way to run native code from a Java
| applet, which will require a separate fix to the current versions of
| Netscape (2.01 and Atlas PR2) and Sun's Java Development Kit (1.01).
|
| Both this attack and the previous one rely on an applet being able to create
| an instance of the same security-sensitive class, but each does so using an
| independent hole in the bytecode verifier.
|
| Once an applet is able to run native code, it can read, write, and execute
| any local file, with the permissions of the browser. These attacks do not
| require any additional preconditions, other than viewing the attacker's web
| page with Java enabled. They can be done without the user's knowledge.
|
| Summary of Java bugs found so far
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Date Found by Fixed in Effects
| --------- ------ ---------- -------
| Oct 30 95 DFW not fixed Various - see
| in HotJava ftp://ftp.cs.princeton.edu/reports/1995/501.ps.Z
| Feb 18 96 DFW/SG 1.01/2.01 Applets can exploit DNS spoofing to
| connect to machines behind firewalls
| Buffer overflow bug in javap
| Mar 2 96 DH 1.01/2.01 win32/MacOS: Applets can run native code
| UNIX: Ditto, provided certain files can
| be created on the client
| Mar 22 96 DFW not fixed Applets can run native code
| Mar 22 96 EW not fixed If host names are unregistered, applets may be
| able to connect to them
| Apr 27 96 DH not fixed Applets can run native code
|
| There was also a separate bug in beta versions of Netscape 2.0 which, in
| hindsight, would have allowed applets to run native code.
|
| [DFW = Drew Dean, Ed Felten, Dan Wallach
| http://www.cs.princeton.edu/sip/News.htm
| SG = Steve Gibbons
| http://www.aztech.net/~steve/java/
| DH = David Hopwood
| http://ferret.lmh.ox.ac.uk/~david/java/
| EW = Eric Williams
| http://www.sky.net/~williams/java/javasec.htm
|
| Dates indicate when the problem was first posted to RISKS, except for
| Eric Williams' bug, which has not been posted.]
|
| For bugs in Javascript, see John LoVerso's page
| http://www.osf.org/~loverso/javascript/
| These include the ability to list any local directory (apparently fixed
| in Atlas PR2), and a new version of the real-time history tracker.
|
| Additional information on the March 2nd absolute pathname bug is now
| available from
| http://ferret.lmh.ox.ac.uk/~david/java/
|
| Recommended actions
| ~~~~~~~~~~~~~~~~~~
| Netscape (2.0beta*, 2.0, 2.01):
| Disable Java (on all platforms except Windows 3.1x), and if possible
| Javascript, using the Security Preferences dialogue in the Options menu.
| Note that the section on security in the Netscape release notes is not
| up-to-date.
|
| Netscape (Atlas PR1, PR2):
| As above, except that the options to disable Java and Javascript have
| moved to the Languages tab in the Network Preferences dialogue.
|
| Appletviewer (JDK beta*, 1.0, 1.01):
| Do not use appletviewer to load applets from untrusted hosts.
|
| HotJava (alpha*):
| Sun no longer supports HotJava alpha, and does not not intend to fix
| any of its security holes until a beta version is released.
|
| David Hopwood david.hopwood@lmh.ox.ac.uk