GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


archive:internet:javabug
        NASIRC BULLETIN B-96-24         June 10, 1996
                   JAVA Class Loader Hole Recently Discovered
         ===========================================================
            NASA Automated Systems Incident Response Capability
               __    __      __      ___   ___  ____     ____
              /_/\  /_/|    /_/\    / _/\ /_/| / __/ \  / __/\
              | |\ \| ||   /  \ \   | /\/ | || | /\ \/  | | \/
              | ||\ \ ||  / /\ \ \   \ \  | || |_\/ /\  | |
              | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
              |_|/  \_|//_/    \_\/ \/__/ |_|/ |_| \_\/ \___\/
          Serving NASA and the International Aerospace Communities
         ===========================================================
         This bulletin reports a recently announced security vulner-
         ability.    It   may   contain   a   workaround or software
         patch.  Bulletins should be considered urgent  as  vulnera-
         bility information is likely to be widely known by the time
         a patch is issued or other solutions are developed.
         ===========================================================
        NASIRC has recently received new information about another attack
        method using the class loader of Java.  This attack enables
        execution of native machine instructions with Java capable
        browsers.  This discovery expands the scope of vulnerable systems
        initially identified for Netscape Version 2.02 browsers, reported
        in NASIRC Bulletin B-96-11-C.
PROBLEM DESCRIPTION
        Attacks on the class loader allow running native code in current
        Java implementations.  Running native code allows machine
        specific instructions to be executed by the delivered applet.
        This presents a problem since an attack was successful in
        deleting files.  An exploit has been written for Appletviewer and
        HotJava; versions for Netscape and Oracle PowerBrowser are also
        possible, although more difficult.
SYSTEMS AFFECTED
        The native code vulnerability applies to currently available Java
        capable browsers.
        The following systems are known to be vulnerable to the new
        attack:
  • Netscape up to and including Versions 2.02 and 3.0beta4

(except Windows 3.x).

  • Oracle PowerBrowser for Win32.
  • HotJava 1.0 beta.
  • "appletviewer" from Java Development Kit, up to and

including Version 1.0.2.

RECOMMENDED ACTION
        NASIRC reiterates its recommendation to use all Internet browsers
        with all Java and JavaScript features disabled.  If the known
        host is a trusted site, then enabling Java or JavaScript after
        the initial page is displayed and then using the "reload" option
        to invoke Java or JavaScript is a safer approach.  Before leaving
        a trusted page, the Java and JavaScript features should again be
        disabled.
Technical Paper about Java Security
        Drew Dean, Edward Felten, and Dan Wallach, Department of Computer
        Science, Princeton University, have written a paper, "Java
        Security: From HotJava to Netscape and Beyond," presented at the
        IEEE Symposium on Security and Privacy on Oakland, California, on
        May 6-8, 1996.
        This paper gives a technical description of the weaknesses that
        exist in the security methods used to build Java and that can be
        obtained from the following site.
                http://www.cs.princeton.edu/sip/pub/secure96.html
        The conclusion is as follows:
                "6. Conclusion
                 Java is an interesting new programming language
                 designed to support the safe execution of applets
                 on Web pages. We and others have demonstrated an
                 array of attacks that allow the security of both
                 HotJava and Netscape to be compromised. While many
                 of the specific flaws have been patched, the
                 overall structure of the systems leads us to believe
                 that flaws will continue to be found. The absence of
                 a well-defined, formal security policy prevents the
                 verification of an implementation.
                 We conclude that the Java system in its current form
                 cannot easily be made secure. Significant redesign of
                 the language, the bytecode format, and the runtime
                 system appear to be necessary steps toward building a
                 higher-assurance system. Without a formal basis,
                 statements about a systems security cannot be
                 definitive.
                 The presence of flaws in Java does not imply that
                 competing systems are more secure. We conjecture that
                 if the same level of scrutiny had been
                 applied to competing systems, the results would have
                 been similar.  Execution of remotely-loaded code is
                 a relatively new phenomenon, and more work is required
                 to make it safe."
  1. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

ACKNOWLEDGMENTS: Fred Blonder of NASIRC for identifying

                        this information, Alan Coopersmith of UC Berkeley
                        for submitting this to
                        best-of-security@suburbia.net, and David Hopwood
                        of Oxford University, England, for maintaining a
                        Web site of Netscape vulnerability information.
                        Drew Dean, Edward Felten, and Dan Wallach,
                        Department of Computer Science, Princeton
                        University, for publishing "Java Security: From
                        HotJava to Netscape and Beyond."
                BULLETIN AUTHOR: Jordan Gottlieb
        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
        This advisory may be forwarded without restriction.  Persons
        within the NASA community or operating in support of a NASA
        contract may contact NASIRC with any questions about this
        advisory.
            Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853
            International: +1-301-441-4398         STU III: 1-301-982-5480
            Internet E-Mail: nasirc@nasa.gov
            24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
            WWW: http://nasirc.nasa.gov/NASIRC_home.html
            FTP: nasirc.nasa.gov, login "anonymous"
        Anyone requiring assistance or wishing to report a security
        incident but not operating in support of NASA may contact the
        Forum of Incident Response and Security Teams (FIRST), an
        international organization of incident response teams, to
        determine the appropriate team.  A list of FIRST member
        organizations and their constituencies may be obtained by
        sending E-mail to "docserver@first.org" with an empty "subject"
        line and a message body containing the line "send first-contacts"
        or via WWW at  http://www.first.org/  .

/data/webs/external/dokuwiki/data/pages/archive/internet/javabug.txt · Last modified: 2002/03/19 23:59 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki