First bug bites Java 1.2 -- Mozilla stung

Flaw could allow a hostile party to do 'whatever it likes on the victim's machine'

The latest version of Java has its first serious security hole. Last week, a team at Princeton University revealed a new security flaw in Java virtual machines, including the VM in the pre-release version of the JDK 1.2, that breaks type safety. The new breach could let a hacker access a Web user's hard disk and modify or delete files at will.

Although the attack found all implementations of the JVM in browsers vulnerable, it is exploitable only in Netscape Navigator's fourth-generation software, according to the researchers.

The leader of the Princeton team and other experts said an Internet programmer could employ a "type confusion" attack on an unsuspecting user by deploying an attack applet to disable Navigator 4.x's security manager and then override the definition of system types, the fundamental pre-chosen descriptions of how object-based software runs.

This would allow a hostile party to do "whatever it likes on the victim's machine," read a report (see Resources) from the Secure Internet Programming (SIP) team at Princeton, which has already tested its own demo of the bug.

"The applet gets the JVM confused about which type a particular object is supposed to have," said Professor Edward Felten, the team's leader. "This lets the applet perform illegal type-casting operations, thus breaking the type system." He added that this process is enabled by a subtle flaw in Java's dynamic linking mechanism.

"The rest of the exploit uses techniques we don't discuss publicly in detail, since we think they're too useful to bad guys," he commented. Asked whether he could release a sample of the attack applet, Felten replied he could do so only to those who would promise not to publish it.

Building a bigger bug

Other Internet security experts confirmed the viability of the new hole, which takes advantage of a multi-phase attack strategy.

The work at Princeton builds upon research by Dr. Mark LaDue, a security specialist at GTE based in Irving, TX. Earlier this year, LaDue created a set of hostile applets that can hamper security in the major browsers. One of these can create Java class loaders, providing a staging area in which the new Princeton attack can take place.

"The secondary flaw is surely the ability of applets to create AppletClassLoaders," said LaDue, who is also the independent producer of the Hostile Applets home page (see Resources). "The new applet surely loads its choice of classes in some unexpected fashion and thereby fools Netscape's JVM."

Another leading security analyst confirmed the seriousness of the new multi-phase breach. "The LaDue bug is definitely no big deal, but coupled with the problem found at Princeton it is a very big deal, indeed," said Dr. Gary McGraw, a research scientist at Reliable Software Technologies, in Sterling, VA. "The [Princeton] attack applet ... can do anything at all on a target machine: install a virus, delete files, et cetera. This is classic type confusion."

McGraw, co-author with Felten of the forthcoming Securing Java: Getting Down to Business with Mobile Code (John Wiley & Sons), added that the hole is "as critical as any ever discovered in Java."

According to Felten, the fundamental logic is as follows: "Every class loader defines a name space for classes. If an applet can define class loaders, then it has a lot of freedom to set up strange name spaces and make those inconsistent with each other, [which] makes the name spaces overlap in complicated ways. All of this can get the JVM confused about which name space it is currently in, what name a given class has in the current name space, and so on."

"The JDK 1.1 class loader specification fixed some problems that were found in 1.0, but more problems remained. In other words, in JDK 1.1 anybody who could make a class loader could break the type system. JDK 1.2 class loaders were supposed to be safe; that is, it was supposed to be impossible to break the type system even if you could make a class loader. But the flaw we found shows that class loaders are unsafe, at least in Navigator 4.0x and the current beta of JDK 1.2."

Attack in three phases

McGraw said there are actually three flaws needed for the attack against Navigator:

  • LaDue's subclassing of netscape.applet.AppletClassLoader (harmless by itself, but here it can be used as a staging area)

  • The fact that system classes are not looked for first, so that they can be replaced

  • The core bug in the JVM, which leads to a type safety problem

Internet Explorer and the JDK also have the flaw, but it's not exploitable, because they prevent untrusted code from making class loaders, said Felten. "Still, we think this is a bug that should be fixed in both."

Felten noted that he relayed his findings to Netscape well before publishing them. The Web software company is in the process of upgrading its latest browser offering through an open source-code process (the so-called Mozilla project).

On July 17, the New York Times reported that the Princeton hole had been plugged in the latest Navigator preview, based on word from Netscape. However, LaDue said that his portion of the overall attack is still viable. "I've just taken a look at Communicator 4.50 PR1, and the holes still exist there," he said, which would leave open the possibility of further type-confusion exploits in the future.

As of this writing, a spokesperson for Netscape Communications had not responded to a request for comment, and an official at Sun Microsystems had declined a response.

Kieron Murphy is the editorial manager of EarthWeb's and a freelance journalist. In addition to his work for JavaWorld, he previously has written for such publications as The Java Report, SunWorld, and IEEE Potentials.

Learn more about this topic

  • See the Princeton University Secure Internet Programming (SIP) report of the July 1998 Java security flaw
  • This Hostile Applets report examines the security holes found in Netscape's fourth-generation browser software
  • Edward Felten's "More Java woes" report in The Risks Digest, Volume 19, Issue 86, July 16, 1998
  • See what the New York Times has to offer on SIPs findings
  • Drew Dean's "The Security of Static Typing with Dynamic Linking" in the Fourth ACM Conference on Computer and Communications Security offers insight into a potential security hazard
  • Netscape Communicator 4.5 Preview Release 1
  • For questions regarding Java and security, your first destination should be Dr. Gary McGraw's Security Hotlist, which is broken down into easily navigable categories
  • Keep an eye out for McGraw and Felten's upcoming Securing JavaGetting Down to Business with Mobile Code (John Wiley & Sons) due out this fall