Hi all, I thought this when I first read this report, but I then realized that the report is a bit poorly written. It describes a bug in Netscape's Java implementation that allows an attacker take advantage of the ClassLoader class in java.lang. The problem with ClassLoader is it when a program extends ClassLoader, it has no built in protection for the core Java classes. The Java team assumes that when you make your own ClassLoader, you will add checks to see if a class is in java.* and load the local copy using findSystemClass(). This also means that you can replace the core Java classes by putting your own in the classpath before the actual ones, so if your application allows you to specify the classpath, you can do whatever you want. I was actually quite surprised to see this when I wrote a ClassLoader a while ago. I had wrongly assumed Sun would hard code checks for the core Java classes. It looks like Sun relies on proper security implementations to prevent the ClassLoader from being replaced. Sean On Sat, Jul 18, 1998 at 04:49:25PM -0500, Greg Alexander wrote: > Is it appropriate to call a java implementation-related security hole a java > hole? That'd be like calling a bug in pine a bug in internet e-mail. > > On Fri, 17 Jul 1998, Gary McGraw wrote: > > > Hello all, > > > > Princeton's Safe Internet Programming Team recently announced the > > discovery of a serious Java security hole that can be leveraged into > > an attack applet. Their description follows: > > ------------------------------------------------------------------------ > > We have found another Java security flaw that allows a malicious applet > > to disable all security controls in Netscape Navigator 4.0x. After > > disabling the security controls, the applet can do whatever it likes on > > the victim's machine, including arbitrarily reading, modifying, or > > deleting files. We have implemented a demonstration applet that deletes > > a file. > <clip> > > Greg Alexander - also <galexandat_private> - http://sietch.home.ml.org/ > ---- > Any sufficiently advanced bug is indistinguishable from a feature. > -- Rich Kulawiec > Any sufficiently advanced feature is indistinguishable from a bug. > -- Greg's corollary
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:06:37 PDT