The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


New Java Security Flaw Found


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 17 Jul 1998 17:08:40 -0400
From: Gary McGraw <[email protected]>
To: [email protected]
Subject: New Java Security Flaw Found

Hello all,

Princeton's Safe Internet Programming Team recently announced the
discovery of a serious Java security hole that can be leveraged into
an attack applet.  Their description follows:
------------------------------------------------------------------------
We have found another Java security flaw that allows a malicious applet
to disable all security controls in Netscape Navigator 4.0x.  After
disabling the security controls, the applet can do whatever it likes on
the victim's machine, including arbitrarily reading, modifying, or
deleting files.  We have implemented a demonstration applet that deletes
a file.

This flaw, like several previous ones, is in the implementation of the
"ClassLoader" mechanism that handles dynamic linking in Java.  Despite
changes in the ClassLoader implementation in JDK 1.1 and again in JDK
1.2 beta, ClassLoaders are still not safe; a malicous ClassLoader can
still override the definition of built-in "system" types like
java.lang.Class.  Under some circumstances, this can lead to a
subversion of Java's type system and thus a security breach.

The flaw is not directly exploitable unless the attacker can use some
other secondary flaw to gain a foothold.  Netscape 4.0x has such a
secondary flaw (a security manager bug found by Mark LaDue), so we were
able to demonstrate how to subvert Netscape's security controls.  We are
not aware of any usable secondary flaws in Microsoft's and Sun's current
Java implementations, so they appear not to be vulnerable to our attack
at present.

Please direct any inquiries to Edward Felten at (609) 258-5906 or
[email protected].

Dirk Balfanz, Drew Dean, Edward Felten, and Dan Wallach
Secure Internet Programming Lab
Department of Computer Science
Princeton University
http://www.cs.princeton.edu/sip
------------------------------------------------------------------------
In other news, Felten and I are preparing a revised edition of our
Java security book.  The new book, out in the Fall, will be called
Securing Java: Getting down to business with mobile code.  The
publisher is Wiley.  The book clearly explains the JDK 1.2 security
model, with an eye towards deploying mobile code as securely as
possible.

gem

Gary McGraw, Ph.D.
Reliable Software Technologies
[email protected]
http://www.rstcorp.com/java-security.html

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру