Hello all, Princeton's Safe Internet Programming Team recently announced the discovery of a serious Java security hole that can be leveraged into an attack applet. Their description follows: ------------------------------------------------------------------------ We have found another Java security flaw that allows a malicious applet to disable all security controls in Netscape Navigator 4.0x. After disabling the security controls, the applet can do whatever it likes on the victim's machine, including arbitrarily reading, modifying, or deleting files. We have implemented a demonstration applet that deletes a file. This flaw, like several previous ones, is in the implementation of the "ClassLoader" mechanism that handles dynamic linking in Java. Despite changes in the ClassLoader implementation in JDK 1.1 and again in JDK 1.2 beta, ClassLoaders are still not safe; a malicous ClassLoader can still override the definition of built-in "system" types like java.lang.Class. Under some circumstances, this can lead to a subversion of Java's type system and thus a security breach. The flaw is not directly exploitable unless the attacker can use some other secondary flaw to gain a foothold. Netscape 4.0x has such a secondary flaw (a security manager bug found by Mark LaDue), so we were able to demonstrate how to subvert Netscape's security controls. We are not aware of any usable secondary flaws in Microsoft's and Sun's current Java implementations, so they appear not to be vulnerable to our attack at present. Please direct any inquiries to Edward Felten at (609) 258-5906 or feltenat_private Dirk Balfanz, Drew Dean, Edward Felten, and Dan Wallach Secure Internet Programming Lab Department of Computer Science Princeton University http://www.cs.princeton.edu/sip ------------------------------------------------------------------------ In other news, Felten and I are preparing a revised edition of our Java security book. The new book, out in the Fall, will be called Securing Java: Getting down to business with mobile code. The publisher is Wiley. The book clearly explains the JDK 1.2 security model, with an eye towards deploying mobile code as securely as possible. gem Gary McGraw, Ph.D. Reliable Software Technologies gemat_private http://www.rstcorp.com/java-security.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:53 PDT