New Java Security Flaw Found

From: Gary McGraw (gemat_private)
Date: Fri Jul 17 1998 - 14:08:40 PDT

Next message: Craig Spannring: "Buffer overflows. was Re: EMERGENCY: new remote root exploit in"

Previous message: matt: "Re: EMERGENCY: new remote root exploit in UW imapd"
Next in thread: Greg Alexander: "Re: New Java Security Flaw Found"
Reply: Greg Alexander: "Re: New Java Security Flaw Found"
Reply: Sean Garagan: "Re: New Java Security Flaw Found"
Reply: Drew Dean: "Re: New Java Security Flaw Found"
Reply: Mikolaj J. Habryn: "Re: New Java Security Flaw Found"
Reply: Steven M. Bellovin: "Re: New Java Security Flaw Found"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all,

Princeton's Safe Internet Programming Team recently announced the
discovery of a serious Java security hole that can be leveraged into
an attack applet.  Their description follows:
------------------------------------------------------------------------
We have found another Java security flaw that allows a malicious applet
to disable all security controls in Netscape Navigator 4.0x.  After
disabling the security controls, the applet can do whatever it likes on
the victim's machine, including arbitrarily reading, modifying, or
deleting files.  We have implemented a demonstration applet that deletes
a file.

This flaw, like several previous ones, is in the implementation of the
"ClassLoader" mechanism that handles dynamic linking in Java.  Despite
changes in the ClassLoader implementation in JDK 1.1 and again in JDK
1.2 beta, ClassLoaders are still not safe; a malicous ClassLoader can
still override the definition of built-in "system" types like
java.lang.Class.  Under some circumstances, this can lead to a
subversion of Java's type system and thus a security breach.

The flaw is not directly exploitable unless the attacker can use some
other secondary flaw to gain a foothold.  Netscape 4.0x has such a
secondary flaw (a security manager bug found by Mark LaDue), so we were
able to demonstrate how to subvert Netscape's security controls.  We are
not aware of any usable secondary flaws in Microsoft's and Sun's current
Java implementations, so they appear not to be vulnerable to our attack
at present.

Please direct any inquiries to Edward Felten at (609) 258-5906 or
feltenat_private

Dirk Balfanz, Drew Dean, Edward Felten, and Dan Wallach
Secure Internet Programming Lab
Department of Computer Science
Princeton University
http://www.cs.princeton.edu/sip
------------------------------------------------------------------------
In other news, Felten and I are preparing a revised edition of our
Java security book.  The new book, out in the Fall, will be called
Securing Java: Getting down to business with mobile code.  The
publisher is Wiley.  The book clearly explains the JDK 1.2 security
model, with an eye towards deploying mobile code as securely as
possible.

gem

Gary McGraw, Ph.D.
Reliable Software Technologies
gemat_private
http://www.rstcorp.com/java-security.html

Next message: Craig Spannring: "Buffer overflows. was Re: EMERGENCY: new remote root exploit in"
Previous message: matt: "Re: EMERGENCY: new remote root exploit in UW imapd"
Next in thread: Greg Alexander: "Re: New Java Security Flaw Found"
Reply: Greg Alexander: "Re: New Java Security Flaw Found"
Reply: Sean Garagan: "Re: New Java Security Flaw Found"
Reply: Drew Dean: "Re: New Java Security Flaw Found"
Reply: Mikolaj J. Habryn: "Re: New Java Security Flaw Found"
Reply: Steven M. Bellovin: "Re: New Java Security Flaw Found"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:53 PDT