Re: New Java Security Flaw Found

From: Sean Garagan (garaganat_private)
Date: Mon Jul 20 1998 - 18:25:58 PDT

Next message: Drew Dean: "Re: New Java Security Flaw Found"

Previous message: Niall Smart: "Re: EMERGENCY: new remote root exploit in UW imapd"
Maybe in reply to: Gary McGraw: "New Java Security Flaw Found"
Next in thread: Drew Dean: "Re: New Java Security Flaw Found"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

I thought this when I first read this report, but I then realized that the
report is a bit poorly written.  It describes a bug in Netscape's Java
implementation that allows an attacker take advantage of the ClassLoader
class in java.lang.  The problem with ClassLoader is it when a program
extends ClassLoader, it has no built in protection for the core Java
classes.  The Java team assumes that when you make your own ClassLoader, you
will add checks to see if a class is in java.* and load the local copy using
findSystemClass().  This also means that you can replace the core Java
classes by putting your own in the classpath before the actual ones, so if
your application allows you to specify the classpath, you can do whatever
you want.

I was actually quite surprised to see this when I wrote a ClassLoader a
while ago.  I had wrongly assumed Sun would hard code checks for the core
Java classes.  It looks like Sun relies on proper security implementations
to prevent the ClassLoader from being replaced.

Sean

On Sat, Jul 18, 1998 at 04:49:25PM -0500, Greg Alexander wrote:
> Is it appropriate to call a java implementation-related security hole a java
> hole?  That'd be like calling a bug in pine a bug in internet e-mail.
>
> On Fri, 17 Jul 1998, Gary McGraw wrote:
>
> > Hello all,
> >
> > Princeton's Safe Internet Programming Team recently announced the
> > discovery of a serious Java security hole that can be leveraged into
> > an attack applet.  Their description follows:
> > ------------------------------------------------------------------------
> > We have found another Java security flaw that allows a malicious applet
> > to disable all security controls in Netscape Navigator 4.0x.  After
> > disabling the security controls, the applet can do whatever it likes on
> > the victim's machine, including arbitrarily reading, modifying, or
> > deleting files.  We have implemented a demonstration applet that deletes
> > a file.
> <clip>
>
> Greg Alexander - also <galexandat_private> - http://sietch.home.ml.org/
> ----
> Any sufficiently advanced bug is indistinguishable from a feature.
>                 -- Rich Kulawiec
> Any sufficiently advanced feature is indistinguishable from a bug.
>                 -- Greg's corollary

Next message: Drew Dean: "Re: New Java Security Flaw Found"
Previous message: Niall Smart: "Re: EMERGENCY: new remote root exploit in UW imapd"
Maybe in reply to: Gary McGraw: "New Java Security Flaw Found"
Next in thread: Drew Dean: "Re: New Java Security Flaw Found"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:06:37 PDT