Java security update: recent beta browser bugs

• To: www-security@ns2.rutgers.edu
• Subject: Java security update: recent beta browser bugs
• From: Prentiss Riddle <riddle@is.rice.edu>
• Date: Mon, 19 Aug 1996 09:20:57 -0500 (CDT)

Reposted from RISKS Digest 18.32.  Please contact the original author
with questions or comments.

-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Opinions expressed are not necessarily those of my employer.

-------------------------- Forwarded Message --------------------------


Date: Mon, 12 Aug 1996 20:29:06 -0400
From: Ed Felten <felten@CS.Princeton.EDU>
Subject: Java security update

We have found two Java security bugs recently, one in Microsoft Internet
Explorer 3.0beta3 and one in Netscape Navigator 3.0beta5.  Both bugs were
serious, allowing a malicious applet to gain at least full read/write access
to the victim's files.  Both bugs are fixed in current releases of the
browsers.

The Netscape bug was caused by incorrect handling of type definitions in the
Java internals.  Java uses special predefined names for its array types;
these special names are bound to the correct array types on demand.  We
discovered that under certain circumstances an applet could define a class
that had one of these special names.  The system detected this and threw an
exception, but the malicious definition was mistakenly left in one of the
system's internal tables.  The result was that an applet could redefine one
of Java's array types.  This was sufficient to break Java's type system and
hence to circumvent Java's security mechanisms.

The Microsoft bug allowed an applet to become a member of a
security-critical Java package (module) whose membership was supposed to be
limited to Java classes that are built-in to the browser.  Code belonging to
one of these packages can set certain security-critical variables such as
the access control lists that say which files the applet is allowed to read
and write.  An applet could exploit this bug to obtain full file system and
network access, among other things.

For more details, see http://www.cs.princeton.edu/sip/News.htm or contact
Ed Felten (felten@cs.princeton.edu, 609-258-5906).

Dirk Balfanz, Drew Dean, and Ed Felten, Safe Internet Programming Group,
Department of Computer Science, Princeton University

  [The "current release" of the Microsoft Internet Explorer is the one
  that was available at midnight PDT at the end of Monday evening (i.e.,
  3AM EDT Tuesday 13 Aug).  RISKS suggests that serious users of either
  browser pick up the new versions, and that people who consider themselves
  only casual users get more serious.  PGN]

• Previous: Re: Has Rutgers orphaned the www-security mailing list?
• Next: Re: Active X security hole reported
• Index(es):
  • Index
  • Thread