__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Java Applet Can Redirect Browser Traffic
[Sun Security Bulletin #00216]
[Microsoft Security Bulletin MS02-013]
March 5, 2002 19:00 GMT Number M-052
[Revised 6 March 2002]
______________________________________________________________________________
PROBLEM: A vulnerability exists in Java that may allow a malicious
applet to monitor requests from an HTTP proxy server.
PLATFORM: Netscape 6.1, 6.0.1, and 6.0 are affected since they include
an affected version of the Java Runtime Environment.
The default Java runtime environments of Netscape Communicator
version 4.79 and earlier are affected.
All builds of the Microsoft VM up to and including the build
3802. Microsoft VM runs atop Microsoft Windows 95, 98, ME,
NT 4.0, 2000 and XP. Microsoft VM ships as part of Windows 98,
ME, and Windows 200 and also as part of Internet Explorer 5.5
and earlier.
DAMAGE: An attacker could use this vulnerability to send a user’s
Internet session to a system under his control without the
user being aware. The attacker could capture and save the
user’s session information thereby enabling him to execute a
replay attack or to search for sensitive information such as
user names or passwords.
SOLUTION: Apply the appropriate patch or upgrade the required software.
______________________________________________________________________________
VULNERABILITY The risk is LOW. The vulnerability only affects configurations
ASSESSMENT: that utilize a proxy server and the malicious applet must be
on the system.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-052.shtml
ORIGINAL BULLETIN: * Sun:
http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/216&type=0&nav=sec.sba
* Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS02-013.asp
______________________________________________________________________________
[Revision 03/06/02: Sun Microsystems released bulletin]
[***** Start Sun Security Bulletin #00216 *****]
-----BEGIN PGP SIGNED MESSAGE-----
________________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00216
Date: March 4, 2002
Cross-Ref:
Title: HttpURLConnection
________________________________________________________________________________
The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.
________________________________________________________________________________
1. Background
A vulnerability in the Java(TM) Runtime Environment may allow
an untrusted applet to monitor requests to and responses from
an HTTP proxy server when a persistent connection is used between
a client and an HTTP proxy server.
The full and custom installations of Netscape 6.1, 6.0.1, and 6.0
are affected since they include an affected version of the
Java Runtime Environment. The default Java runtime environments of
Netscape(TM) Communicator version 4.79 and earlier are affected.
For more information, see
http://home.netscape.com/security
Microsoft VM up to and including build 3802 is affected.
For more information, see
http://www.microsoft.com/technet/security/bulletin/MS02-013.asp
This issue may or may not affect other vendors' Java technology
implementations which are derived from Sun's SDK and JDK(TM) source bases.
Sun has notified and made the remedy available to its Java
technology licensees.
Sun recommends that users of affected releases upgrade to the latest
SDK, JDK, and JRE releases listed in section 3 of this bulletin.
2. Affected Releases
The following releases are affected:
Windows Production Releases
SDK and JRE 1.3.0_02 or earlier
SDK and JRE 1.2.2_010 or earlier
JDK and JRE 1.1.8_007 or earlier
Solaris(TM) Operating Environment (OE) Reference Releases
SDK and JRE 1.2.2_010 or earlier
JDK and JRE 1.1.8_007 or earlier
Solaris Production Releases
SDK and JRE 1.3.0_02 or earlier
SDK and JRE 1.2.2_10 or earlier
JDK and JRE 1.1.8_13 or earlier
Linux Production Releases
SDK and JRE 1.3.0_02 or earlier
SDK and JRE 1.2.2_010 or earlier
Releases prior to SDK and JRE 1.2.2, and JDK and JRE 1.1.8 for
Windows and Solaris are also affected and should no longer be used.
Users of these releases should upgrade to a later release listed in
Section 3.
This vulnerability does not affect the Java 2 SDK, Standard Edition,
versions 1.4 and 1.3.1.
3. Latest Releases
Windows Production Releases
SDK and JRE 1.4 http://java.sun.com/j2se/1.4/
SDK and JRE 1.3.1_02 http://java.sun.com/j2se/1.3/
SDK and JRE 1.2.2_011 http://java.sun.com/j2se/1.2/
JDK and JRE 1.1.8_009
http://java.sun.com/products/jdk/1.1/download-jdk-windows.html
Solaris OE Reference Releases
SDK and JRE 1.2.2_011 http://java.sun.com/j2se/1.2/
JDK and JRE 1.1.8_009
http://java.sun.com/products/jdk/1.1/download-jdk-solaris.html
Solaris OE Production Releases
SDK and JRE 1.4 http://java.sun.com/j2se/1.4/
SDK and JRE 1.3.1_02 http://java.sun.com/j2se/1.3/
SDK and JRE 1.2.2_11 http://java.sun.com/j2se/1.2/
JDK and JRE 1.1.8_15
http://java.sun.com/products/jdk/1.1/download-jdk-solaris.html
Linux Production Releases
SDK and JRE 1.4 http://java.sun.com/j2se/1.4/
SDK and JRE 1.3.1_02 http://java.sun.com/j2se/1.3/
SDK and JRE 1.2.2_011 http://java.sun.com/j2se/1.2/
_______________________________________________________________________________
Sun acknowledges, with thanks, Harmen van der Wal for bringing this issue to
our attention.
_______________________________________________________________________________
APPENDICES
A. Sun security bulletins are available at:
http://sunsolve.sun.com/security
B. Sun Security Coordination Team's PGP key is available at:
http://sunsolve.sun.com/pgpkey.txt
C. To report or inquire about a security problem with Sun software, contact
one or more of the following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:
security-alert@sun.com
D. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:
security-alert@sun.com
with a subject line (not body) containing one of the following commands:
Command Information Returned/Action Taken
_______ _________________________________
help An explanation of how to get information
key Sun Security Coordination Team's PGP key
list A list of current security topics
query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team
report [topic] The email is treated as a security report and is
forwarded to the Security Coordination Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key
send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):
send #138
subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):
subscribe cws your-email-address
Note that your-email-address should be substituted
by your email address.
unsubscribe Sender is removed from the CWS mailing list.
________________________________________________________________________________
Copyright 2002 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, the Sun logo, Solaris, Java, and JDK are trademarks or
registered trademarks of Sun Microsystems, Inc. in the United States and
other countries. Netscape is a trademark or registered trademark of
Netscape Communications Corporation in the United States and other countries.
This Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBPIPtoLdzzzOFBFjJAQFWuwP9HgvRtnf8xUhKEJGjrnArnmDYMhgZd00g
hy/42CYBO2/eS1NySCVlE4VBf58aF5AESaqC48jdipziTswOwuiL1GwmDOjH8Dx1
/txwiL3JdYccI+8ZvWsd+qG8Hc3YgtYv+8xEfJwrgU79eNbAMY+D7dDWT9DFj5iJ
U/xq+oC+z6M=
=A2CN
-----END PGP SIGNATURE-----
[***** End Sun Security Bulletin #00216 *****]
[***** Start Microsoft Security Bulletin MS02-013 *****]
Microsoft Security Bulletin MS02-013
Java Applet Can Redirect Browser Traffic
Originally posted: March 04, 2002
Summary
Who should read this bulletin: Customers using Microsoft® Internet
Explorer® in a configuration where a proxy server is interposed between
the browser and the Internet.
Impact of vulnerability: Information Disclosure
Maximum Severity Rating: Critical
Recommendation: Customers using IE in a proxy server configuration as
indicated above should immediately apply the patch.
Affected Software: Versions of the Microsoft virtual machine
(Microsoft VM) are identified by build numbers, which can be
determined using the JVIEW tool as discussed in the FAQ.
The following builds of the Microsoft VM are affected:
All builds of the Microsoft VM up to and including build 3802.
Technical description:
The Microsoft VM is a virtual machine for the Win32® operating
environment. It runs atop Microsoft Windows® 95, Microsoft
Windows 98, ME, Windows NT® 4.0, Windows 2000® and Windows XP.
It ships as part of Windows 98, ME, and Windows 2000 and also
as part of Internet Explorer 5.5 and earlier.
The version of the Microsoft VM that ships with Internet Explorer
version 4.x and 5.x contains a flaw affecting how Java requests for
proxy resources are handled. A malicious Java applet could exploit
this flaw to re-direct web traffic once it has left the proxy server
to a destination of the attacker’s choice.
An attacker could use this flaw to send a user’s Internet session
to a system of his own control, without the user being aware of this.
The attacker could then forward the information on to the intended
destination, giving the appearance that the session was behaving
normally. The attacker could then send his own malicious response,
making it seem to come from the intended destination, or could
discard the session information, creating the impression of a denial
of service. Additionally, the attacker could capture and save the
user’s session information. This could enable him to execute a replay
attack or to search for sensitive information such as user names
or passwords.
A system is only vulnerable if IE is used in conjunction with a
proxy server. Users whose browsers are not behind a proxy server
are not vulnerable to this vulnerability. However, those users
would be vulnerable if they changed their browser to use a proxy
server at a later date.
Mitigating factors:
The vulnerability only affects configurations that utilize a proxy
server. Customers who are not using a proxy server are not at risk
from this vulnerability.
Best practices strongly recommend using SSL to encrypt sensitive
information such as user names, passwords and credit card numbers.
If this has been done, sensitive information will be protected
from examination and disclosure by an attacker exploiting this
vulnerability.
Severity Rating: Internet Servers Intranet Servers Client Systems
Microsoft VM (all versions) Moderate Moderate Critical
The above assessment is based on the types of systems affected by
the vulnerability, their typical deployment patterns, and the effect
that exploiting the vulnerability would have on them. This
vulnerability affects the disclosure of personal information, and
is most likely to have an impact on client systems.
Vulnerability identifier: CAN-2002-0058
Tested Versions:
Microsoft tested Microsoft VM builds 3167 and later, which ship with
IE 5.0 and later to assess whether they are affected by this
vulnerability. Previous versions are no longer supported, and
may or may not be affected by these vulnerabilities.
Patch availability
Download locations for this patch
Upgrade to Microsoft VM build 3805 or later at
http://www.microsoft.com/java/vm/dl_vm40.htm
Additional information about this patch
Installation platforms:
The updated Microsoft VM can be installed on systems that don’t
have a Microsoft VM already installed or that are running a previous
version of the Microsoft VM.
Inclusion in future service packs:
The fix for this issue may be included in future service packs.
Reboot needed: Yes
Superseded patches:
MS99-045
MS00-011
MS00-059
MS00-059
MS00-081
Verifying patch installation:
After downloading and installing the updated Microsoft VM, reboot
the machine and follow the instructions above for determining the
build number. The Microsoft VM build number should show as version
3805 or later.
Caveats:
None
Localization:
This patch will install all language versions.
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch". Patches for consumer platforms are available
from the WindowsUpdate web site All patches available via
WindowsUpdate also are available in a redistributable form from
the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks Harmen van der Wal for reporting this issue to us
and working with us to protect customers.
Support:
Microsoft Knowledge Base article Q300845 discusses this issue and
will be available approximately 24 hours after the release of this
bulletin. Knowledge Base articles can be found on the Microsoft
Online Support web site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all
warranties, either express or implied, including the warranties
of merchantability and fitness for a particular purpose. In no
event shall Microsoft Corporation or its suppliers be liable for
any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even
if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages
so the foregoing limitation may not apply.
Revisions:
V1.0 (March 04, 2002): Bulletin Created.
[***** End Microsoft Security Bulletin MS02-013 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Sun Microsystems, Inc. and
Microsoft Corporation for the information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP
M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability
M-044: SQL Server Remote Data Source Function Contain Unchecked Buffers
M-045: Microsoft Incorrect VBScript Handling in IE
M-046: Red Hat "ncurses" Vulnerability
M-047: Oracle PL/SQL EXTPROC Database Vulnerability
M-048: Oracle 9iAS Default Configuration Vulnerability
M-049: Multiple PHP Vulnerabilities
M-050: Data Leak with Cisco Express Forwarding
M-051: Microsoft XMLHTTP Control Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
