Newsletter sign-up
View all newsletters

Sign up for our technology specific newsletters.

Enterprise Java
Email Address:
JavaWorld.com > Java Development Tools >

First bug bites Java 1.2 -- Mozilla stung

Flaw could allow a hostile party to do 'whatever it likes on the victim's machine'

By Kieron Murphy, JavaWorld.com, 08/01/98

  • Digg
  • Reddit
  • SlashDot
  • Stumble
  • del.icio.us
  • Technorati
  • dzone
The latest version of Java has its first serious security hole. Last week, a team at Princeton University revealed a new security flaw in Java virtual machines, including the VM in the pre-release version of the JDK 1.2, that breaks type safety. The new breach could let a hacker access a Web user's hard disk and modify or delete files at will.

Although the attack found all implementations of the JVM in browsers vulnerable, it is exploitable only in Netscape Navigator's fourth-generation software, according to the researchers.

The leader of the Princeton team and other experts said an Internet programmer could employ a "type confusion" attack on an unsuspecting user by deploying an attack applet to disable Navigator 4.x's security manager and then override the definition of system types, the fundamental pre-chosen descriptions of how object-based software runs.

This would allow a hostile party to do "whatever it likes on the victim's machine," read a report (see Resources) from the Secure Internet Programming (SIP) team at Princeton, which has already tested its own demo of the bug.

"The applet gets the JVM confused about which type a particular object is supposed to have," said Professor Edward Felten, the team's leader. "This lets the applet perform illegal type-casting operations, thus breaking the type system." He added that this process is enabled by a subtle flaw in Java's dynamic linking mechanism.

"The rest of the exploit uses techniques we don't discuss publicly in detail, since we think they're too useful to bad guys," he commented. Asked whether he could release a sample of the attack applet, Felten replied he could do so only to those who would promise not to publish it.

Building a bigger bug

Other Internet security experts confirmed the viability of the new hole, which takes advantage of a multi-phase attack strategy.

The work at Princeton builds upon research by Dr. Mark LaDue, a security specialist at GTE based in Irving, TX. Earlier this year, LaDue created a set of hostile applets that can hamper security in the major browsers. One of these can create Java class loaders, providing a staging area in which the new Princeton attack can take place.

"The secondary flaw is surely the ability of applets to create AppletClassLoaders," said LaDue, who is also the independent producer of the Hostile Applets home page (see Resources). "The new applet surely loads its choice of classes in some unexpected fashion and thereby fools Netscape's JVM."

Another leading security analyst confirmed the seriousness of the new multi-phase breach. "The LaDue bug is definitely no big deal, but coupled with the problem found at Princeton it is a very big deal, indeed," said Dr. Gary McGraw, a research scientist at Reliable Software Technologies, in Sterling, VA. "The [Princeton] attack applet ... can do anything at all on a target machine: install a virus, delete files, et cetera. This is classic type confusion."

McGraw, co-author with Felten of the forthcoming Securing Java: Getting Down to Business with Mobile Code (John Wiley & Sons), added that the hole is "as critical as any ever discovered in Java."

  • Digg
  • Reddit
  • SlashDot
  • Stumble
  • del.icio.us
  • Technorati
  • dzone
Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a JavaWorld account? Log in here. Register now for a free account.
Resources
  • See the Princeton University Secure Internet Programming (SIP) report of the July 1998 Java security flaw http://www.cs.princeton.edu/sip/History.html
  • This Hostile Applets report examines the security holes found in Netscape's fourth-generation browser software http://www.rstcorp.com/hostile-applets/Com4Applets.html
  • Edward Felten's "More Java woes" report in The Risks Digest, Volume 19, Issue 86, July 16, 1998 http://catless.ncl.ac.uk/Risks/19.86.html#subj3
  • See what the New York Times has to offer on SIPs findings http://www.nytimes.com/library/tech/98/07/cyber/articles/17netscape.html
  • Drew Dean's "The Security of Static Typing with Dynamic Linking" in the Fourth ACM Conference on Computer and Communications Security offers insight into a potential security hazard http://www.cs.princeton.edu/sip/pub/ccs4.html
  • Netscape Communicator 4.5 Preview Release 1 http://home.netscape.com/download/prev.html
  • mozilla.org http://www.mozilla.org/
  • For questions regarding Java and security, your first destination should be Dr. Gary McGraw's Security Hotlist, which is broken down into easily navigable categories http://www.rstcorp.com/javasecurity/links.html
  • Keep an eye out for McGraw and Felten's upcoming Securing JavaGetting Down to Business with Mobile Code (John Wiley & Sons) due out this fall