Date: Fri, 17 Jul 1998 17:08:40 -0400
From: Gary McGraw <gem@RSTCORP.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: New Java Security Flaw Found
Hello all,
Princeton's Safe Internet Programming Team recently announced the
discovery of a serious Java security hole that can be leveraged into
an attack applet. Their description follows:
------------------------------------------------------------------------
We have found another Java security flaw that allows a malicious applet
to disable all security controls in Netscape Navigator 4.0x. After
disabling the security controls, the applet can do whatever it likes on
the victim's machine, including arbitrarily reading, modifying, or
deleting files. We have implemented a demonstration applet that deletes
a file.
This flaw, like several previous ones, is in the implementation of the
"ClassLoader" mechanism that handles dynamic linking in Java. Despite
changes in the ClassLoader implementation in JDK 1.1 and again in JDK
1.2 beta, ClassLoaders are still not safe; a malicous ClassLoader can
still override the definition of built-in "system" types like
java.lang.Class. Under some circumstances, this can lead to a
subversion of Java's type system and thus a security breach.
The flaw is not directly exploitable unless the attacker can use some
other secondary flaw to gain a foothold. Netscape 4.0x has such a
secondary flaw (a security manager bug found by Mark LaDue), so we were
able to demonstrate how to subvert Netscape's security controls. We are
not aware of any usable secondary flaws in Microsoft's and Sun's current
Java implementations, so they appear not to be vulnerable to our attack
at present.
Please direct any inquiries to Edward Felten at (609) 258-5906 or
felten@cs.princeton.edu.
Dirk Balfanz, Drew Dean, Edward Felten, and Dan Wallach
Secure Internet Programming Lab
Department of Computer Science
Princeton University
http://www.cs.princeton.edu/sip
------------------------------------------------------------------------
In other news, Felten and I are preparing a revised edition of our
Java security book. The new book, out in the Fall, will be called
Securing Java: Getting down to business with mobile code. The
publisher is Wiley. The book clearly explains the JDK 1.2 security
model, with an eye towards deploying mobile code as securely as
possible.
gem
Gary McGraw, Ph.D.
Reliable Software Technologies
gem@rstcorp.com
http://www.rstcorp.com/java-security.html
