TUCoPS :: Web :: General :: javabug.txt

NASIRC BULLETIN B-96-24 June 10, 1996 - JAVA Class Loader Hole Recently Discovered

          NASIRC BULLETIN B-96-24         June 10, 1996

                     JAVA Class Loader Hole Recently Discovered
              NASA Automated Systems Incident Response Capability
                 __    __      __      ___   ___  ____     ____
                /_/\  /_/|    /_/\    / _/\ /_/| / __/ \  / __/\
                | |\ \| ||   /  \ \   | /\/ | || | /\ \/  | | \/
                | ||\ \ ||  / /\ \ \   \ \  | || |_\/ /\  | |
                | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
                |_|/  \_|//_/    \_\/ \/__/ |_|/ |_| \_\/ \___\/
            Serving NASA and the International Aerospace Communities

           This bulletin reports a recently announced security vulner-
           ability.    It   may   contain   a   workaround or software
           patch.  Bulletins should be considered urgent  as  vulnera-
           bility information is likely to be widely known by the time
           a patch is issued or other solutions are developed.


          NASIRC has recently received new information about another attack
          method using the class loader of Java.  This attack enables
          execution of native machine instructions with Java capable
          browsers.  This discovery expands the scope of vulnerable systems
          initially identified for Netscape Version 2.02 browsers, reported
          in NASIRC Bulletin B-96-11-C.


          Attacks on the class loader allow running native code in current
          Java implementations.  Running native code allows machine
          specific instructions to be executed by the delivered applet.
          This presents a problem since an attack was successful in
          deleting files.  An exploit has been written for Appletviewer and
          HotJava; versions for Netscape and Oracle PowerBrowser are also
          possible, although more difficult.


          The native code vulnerability applies to currently available Java
          capable browsers.

          The following systems are known to be vulnerable to the new

          *       Netscape up to and including Versions 2.02 and 3.0beta4
                  (except Windows 3.x).

          *       Oracle PowerBrowser for Win32.

          *       HotJava 1.0 beta.

          *       "appletviewer" from Java Development Kit, up to and
                  including Version 1.0.2.


          NASIRC reiterates its recommendation to use all Internet browsers
          with all Java and JavaScript features disabled.  If the known
          host is a trusted site, then enabling Java or JavaScript after
          the initial page is displayed and then using the "reload" option
          to invoke Java or JavaScript is a safer approach.  Before leaving
          a trusted page, the Java and JavaScript features should again be

  Technical Paper about Java Security

          Drew Dean, Edward Felten, and Dan Wallach, Department of Computer
          Science, Princeton University, have written a paper, "Java
          Security: From HotJava to Netscape and Beyond," presented at the
          IEEE Symposium on Security and Privacy on Oakland, California, on
          May 6-8, 1996.

          This paper gives a technical description of the weaknesses that
          exist in the security methods used to build Java and that can be
          obtained from the following site.


          The conclusion is as follows:

                  "6. Conclusion

                   Java is an interesting new programming language
                   designed to support the safe execution of applets
                   on Web pages. We and others have demonstrated an
                   array of attacks that allow the security of both
                   HotJava and Netscape to be compromised. While many
                   of the specific flaws have been patched, the
                   overall structure of the systems leads us to believe
                   that flaws will continue to be found. The absence of
                   a well-defined, formal security policy prevents the
                   verification of an implementation.

                   We conclude that the Java system in its current form
                   cannot easily be made secure. Significant redesign of
                   the language, the bytecode format, and the runtime
                   system appear to be necessary steps toward building a
                   higher-assurance system. Without a formal basis,
                   statements about a systems security cannot be

                   The presence of flaws in Java does not imply that
                   competing systems are more secure. We conjecture that
                   if the same level of scrutiny had been
                   applied to competing systems, the results would have
                   been similar.  Execution of remotely-loaded code is
                   a relatively new phenomenon, and more work is required
                   to make it safe."

                  ACKNOWLEDGMENTS: Fred Blonder of NASIRC for identifying
                          this information, Alan Coopersmith of UC Berkeley
                          for submitting this to
                          best-of-security@suburbia.net, and David Hopwood
                          of Oxford University, England, for maintaining a
                          Web site of Netscape vulnerability information.
                          Drew Dean, Edward Felten, and Dan Wallach,
                          Department of Computer Science, Princeton
                          University, for publishing "Java Security: From
                          HotJava to Netscape and Beyond."

                  BULLETIN AUTHOR: Jordan Gottlieb

          This advisory may be forwarded without restriction.  Persons
          within the NASA community or operating in support of a NASA
          contract may contact NASIRC with any questions about this

              Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853
              International: +1-301-441-4398         STU III: 1-301-982-5480
              Internet E-Mail: nasirc@nasa.gov
              24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
              WWW: http://nasirc.nasa.gov/NASIRC_home.html
              FTP: nasirc.nasa.gov, login "anonymous"

          Anyone requiring assistance or wishing to report a security
          incident but not operating in support of NASA may contact the
          Forum of Incident Response and Security Teams (FIRST), an
          international organization of incident response teams, to
          determine the appropriate team.  A list of FIRST member
          organizations and their constituencies may be obtained by
          sending E-mail to "docserver@first.org" with an empty "subject"
          line and a message body containing the line "send first-contacts"
          or via WWW at  http://www.first.org/  .


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH