TUCoPS :: Windows Apps :: m-052.txt

Java Applet Can Redirect Browser Traffic (CIAC M-052)

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                Java Applet Can Redirect Browser Traffic
                     [Sun Security Bulletin #00216]
                 [Microsoft Security Bulletin MS02-013]

March 5, 2002 19:00 GMT                                           Number M-052
[Revised 6 March 2002]
______________________________________________________________________________
PROBLEM:       A vulnerability exists in Java that may allow a malicious
               applet to monitor requests from an HTTP proxy server. 
PLATFORM:      Netscape 6.1, 6.0.1, and 6.0 are affected since they include 
               an affected version of the Java Runtime Environment.
               The default Java runtime environments of Netscape Communicator 
               version 4.79 and earlier are affected.
               All builds of the Microsoft VM up to and including the build
               3802. Microsoft VM runs atop Microsoft Windows 95, 98, ME, 
               NT 4.0, 2000 and XP. Microsoft VM ships as part of Windows 98, 
               ME, and Windows 200 and also as part of Internet Explorer 5.5 
               and earlier. 
DAMAGE:        An attacker could use this vulnerability to send a user’s 
               Internet session to a system under his control without the 
               user being aware. The attacker could capture and save the 
               user’s session information thereby enabling him to execute a 
               replay attack or to search for sensitive information such as 
               user names or passwords. 
SOLUTION:      Apply the appropriate patch or upgrade the required software. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW. The vulnerability only affects configurations 
ASSESSMENT:    that utilize a proxy server and the malicious applet must be
               on the system. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-052.shtml 
 ORIGINAL BULLETIN:  * Sun:
                       http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/216&type=0&nav=sec.sba
                     * Microsoft:
                       http://www.microsoft.com/technet/security/bulletin/MS02-013.asp 
______________________________________________________________________________

[Revision 03/06/02: Sun Microsystems released bulletin]

[***** Start Sun Security Bulletin #00216 *****]

-----BEGIN PGP SIGNED MESSAGE-----

________________________________________________________________________________
                  Sun Microsystems, Inc. Security Bulletin
               
Bulletin Number:           #00216
Date:                      March 4, 2002
Cross-Ref:              
Title:                     HttpURLConnection
________________________________________________________________________________

The information contained in this Security Bulletin is provided "AS IS." 
Sun makes no warranties of any kind whatsoever with respect to the information 
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, 
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR 
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE 
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, 
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL 
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY 
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN 
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF 
THE POSSIBILITY OF SUCH DAMAGES.

If any of the above provisions are held to be in violation of applicable law, 
void, or unenforceable in any jurisdiction, then such provisions are waived 
to the extent necessary for this disclaimer to be otherwise enforceable in 
such jurisdiction.
________________________________________________________________________________

1. Background

   A vulnerability in the Java(TM) Runtime Environment may allow 
   an untrusted applet to monitor requests to and responses from
   an HTTP proxy server when a persistent connection is used between 
   a client and an HTTP proxy server.
   
   The full and custom installations of Netscape 6.1, 6.0.1, and 6.0 
   are affected since they include an affected version of the 
   Java Runtime Environment. The default Java runtime environments of 
   Netscape(TM) Communicator version 4.79 and earlier are affected. 
   For more information, see 
   
          http://home.netscape.com/security
   
   Microsoft VM up to and including build 3802 is affected.
   For more information, see 
   
          http://www.microsoft.com/technet/security/bulletin/MS02-013.asp
   
   This issue may or may not affect other vendors' Java technology
   implementations which are derived from Sun's SDK and JDK(TM) source bases. 
   Sun has notified and made the remedy available to its Java 
   technology licensees.

   Sun recommends that users of affected releases upgrade to the latest 
   SDK, JDK, and JRE releases listed in section 3 of this bulletin.

2. Affected Releases
   
   The following releases are affected:
     
   Windows Production Releases
   
     SDK and JRE 1.3.0_02 or earlier
     SDK and JRE 1.2.2_010 or earlier
     JDK and JRE 1.1.8_007 or earlier
   
   Solaris(TM) Operating Environment (OE) Reference Releases
   
     SDK and JRE 1.2.2_010 or earlier
     JDK and JRE 1.1.8_007 or earlier

   Solaris Production Releases
   
     SDK and JRE 1.3.0_02 or earlier
     SDK and JRE 1.2.2_10 or earlier     
     JDK and JRE 1.1.8_13 or earlier

   Linux Production Releases

     SDK and JRE 1.3.0_02 or earlier
     SDK and JRE 1.2.2_010 or earlier
   
   Releases prior to SDK and JRE 1.2.2, and JDK and JRE 1.1.8 for 
   Windows and Solaris are also affected and should no longer be used. 
   Users of these releases should upgrade to a later release listed in 
   Section 3.
   
   This vulnerability does not affect the Java 2 SDK, Standard Edition,
   versions 1.4 and 1.3.1.
     
3. Latest Releases

   Windows Production Releases
   
     SDK and JRE 1.4              http://java.sun.com/j2se/1.4/
     SDK and JRE 1.3.1_02       http://java.sun.com/j2se/1.3/
     SDK and JRE 1.2.2_011       http://java.sun.com/j2se/1.2/
     JDK and JRE 1.1.8_009
       http://java.sun.com/products/jdk/1.1/download-jdk-windows.html
       
   Solaris OE Reference Releases
   
     SDK and JRE 1.2.2_011       http://java.sun.com/j2se/1.2/
     JDK and JRE 1.1.8_009   
       http://java.sun.com/products/jdk/1.1/download-jdk-solaris.html

   Solaris OE Production Releases
   
     SDK and JRE 1.4              http://java.sun.com/j2se/1.4/
     SDK and JRE 1.3.1_02       http://java.sun.com/j2se/1.3/
     SDK and JRE 1.2.2_11       http://java.sun.com/j2se/1.2/
     JDK and JRE 1.1.8_15
       http://java.sun.com/products/jdk/1.1/download-jdk-solaris.html
       
   Linux Production Releases

     SDK and JRE 1.4              http://java.sun.com/j2se/1.4/
     SDK and JRE 1.3.1_02       http://java.sun.com/j2se/1.3/
     SDK and JRE 1.2.2_011       http://java.sun.com/j2se/1.2/     
_______________________________________________________________________________
Sun acknowledges, with thanks, Harmen van der Wal for bringing this issue to 
our attention. 
_______________________________________________________________________________
APPENDICES

A.  Sun security bulletins are available at:

    http://sunsolve.sun.com/security
       
B.  Sun Security Coordination Team's PGP key is available at:

    http://sunsolve.sun.com/pgpkey.txt
                                        
C.  To report or inquire about a security problem with Sun software, contact 
    one or more of the following:
  
        - Your local Sun answer centers
        - Your representative computer security response team, such as CERT 
        - Sun Security Coordination Team. Send email to:
        
                   security-alert@sun.com

D.  To receive information or subscribe to our CWS (Customer Warning System) 
    mailing list, send email to:
    
                  security-alert@sun.com
   
    with a subject line (not body) containing one of the following commands:

        Command         Information Returned/Action Taken
        _______         _________________________________

        help            An explanation of how to get information
        
        key             Sun Security Coordination Team's PGP key
       
        list            A list of current security topics

        query [topic]   The email is treated as an inquiry and is forwarded to 
                        the Security Coordination Team

        report [topic]  The email is treated as a security report and is
                        forwarded to the Security Coordination Team. Please 
                        encrypt sensitive mail using Sun Security Coordination
                        Team's PGP key

        send topic      A short status summary or bulletin. For example, to 
                        retrieve a Security Bulletin #00138, supply the 
                        following in the subject line (not body):
                      
                                send #138

        subscribe       Sender is added to our mailing list.  To subscribe, 
                        supply the following in the subject line (not body):

                                   subscribe cws your-email-address
                     
                        Note that your-email-address should be substituted
                        by your email address.
                     
        unsubscribe     Sender is removed from the CWS mailing list.
________________________________________________________________________________

Copyright 2002 Sun Microsystems, Inc. All rights reserved. Sun, 
Sun Microsystems, the Sun logo, Solaris, Java, and JDK are trademarks or 
registered trademarks of Sun Microsystems, Inc. in the United States and 
other countries. Netscape is a trademark or registered trademark of 
Netscape Communications Corporation in the United States and other countries.
This Security Bulletin may be reproduced and distributed, provided that this 
Security Bulletin is not modified in any way and is attributed to 
Sun Microsystems, Inc. and provided that such reproduction and distribution 
is performed for non-commercial purposes.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPIPtoLdzzzOFBFjJAQFWuwP9HgvRtnf8xUhKEJGjrnArnmDYMhgZd00g
hy/42CYBO2/eS1NySCVlE4VBf58aF5AESaqC48jdipziTswOwuiL1GwmDOjH8Dx1
/txwiL3JdYccI+8ZvWsd+qG8Hc3YgtYv+8xEfJwrgU79eNbAMY+D7dDWT9DFj5iJ
U/xq+oC+z6M=
=A2CN
-----END PGP SIGNATURE-----

[***** End Sun Security Bulletin #00216 *****]

[***** Start Microsoft Security Bulletin MS02-013 *****]

Microsoft Security Bulletin MS02-013 

Java Applet Can Redirect Browser Traffic
Originally posted: March 04, 2002

Summary

Who should read this bulletin: Customers using Microsoft® Internet 
Explorer® in a configuration where a proxy server is interposed between 
the browser and the Internet. 

Impact of vulnerability: Information Disclosure 

Maximum Severity Rating: Critical 

Recommendation: Customers using IE in a proxy server configuration as 
indicated above should immediately apply the patch. 

Affected Software: Versions of the Microsoft virtual machine 
(Microsoft VM) are identified by build numbers, which can be 
determined using the JVIEW tool as discussed in the FAQ. 

The following builds of the Microsoft VM are affected: 
All builds of the Microsoft VM up to and including build 3802. 

Technical description: 

The Microsoft VM is a virtual machine for the Win32® operating 
environment. It runs atop Microsoft Windows® 95, Microsoft 
Windows 98, ME, Windows NT® 4.0, Windows 2000® and Windows XP. 
It ships as part of Windows 98, ME, and Windows 2000 and also 
as part of Internet Explorer 5.5 and earlier. 

The version of the Microsoft VM that ships with Internet Explorer 
version 4.x and 5.x contains a flaw affecting how Java requests for 
proxy resources are handled. A malicious Java applet could exploit 
this flaw to re-direct web traffic once it has left the proxy server 
to a destination of the attacker’s choice. 

An attacker could use this flaw to send a user’s Internet session 
to a system of his own control, without the user being aware of this. 
The attacker could then forward the information on to the intended 
destination, giving the appearance that the session was behaving 
normally. The attacker could then send his own malicious response, 
making it seem to come from the intended destination, or could 
discard the session information, creating the impression of a denial 
of service. Additionally, the attacker could capture and save the 
user’s session information. This could enable him to execute a replay 
attack or to search for sensitive information such as user names 
or passwords. 

A system is only vulnerable if IE is used in conjunction with a 
proxy server. Users whose browsers are not behind a proxy server 
are not vulnerable to this vulnerability. However, those users 
would be vulnerable if they changed their browser to use a proxy 
server at a later date. 

Mitigating factors: 

The vulnerability only affects configurations that utilize a proxy 
server. Customers who are not using a proxy server are not at risk 
from this vulnerability. 

Best practices strongly recommend using SSL to encrypt sensitive 
information such as user names, passwords and credit card numbers. 
If this has been done, sensitive information will be protected 
from examination and disclosure by an attacker exploiting this 
vulnerability. 

Severity Rating:  Internet Servers Intranet Servers Client Systems 
Microsoft VM (all versions) Moderate Moderate Critical
 
The above assessment is based on the types of systems affected by 
the vulnerability, their typical deployment patterns, and the effect 
that exploiting the vulnerability would have on them. This 
vulnerability affects the disclosure of personal information, and 
is most likely to have an impact on client systems. 

Vulnerability identifier: CAN-2002-0058 

Tested Versions:
Microsoft tested Microsoft VM builds 3167 and later, which ship with 
IE 5.0 and later to assess whether they are affected by this 
vulnerability. Previous versions are no longer supported, and 
may or may not be affected by these vulnerabilities.

Patch availability
Download locations for this patch 
Upgrade to Microsoft VM build 3805 or later at 
http://www.microsoft.com/java/vm/dl_vm40.htm 

Additional information about this patch

Installation platforms: 
The updated Microsoft VM can be installed on systems that don’t 
have a Microsoft VM already installed or that are running a previous 
version of the Microsoft VM. 

Inclusion in future service packs:
The fix for this issue may be included in future service packs. 

Reboot needed: Yes 

Superseded patches:

MS99-045
MS00-011
MS00-059
MS00-059
MS00-081 

Verifying patch installation: 
After downloading and installing the updated Microsoft VM, reboot 
the machine and follow the instructions above for determining the 
build number. The Microsoft VM build number should show as version 
3805 or later. 

Caveats:
None 

Localization:
This patch will install all language versions. 

Obtaining other security patches: 
Patches for other security issues are available from the following 
locations: 

Security patches are available from the Microsoft Download Center, 
and can be most easily found by doing a keyword search for 
"security_patch". Patches for consumer platforms are available 
from the WindowsUpdate web site All patches available via 
WindowsUpdate also are available in a redistributable form from 
the WindowsUpdate Corporate site. 

Other information: 

Acknowledgments
Microsoft thanks Harmen van der Wal for reporting this issue to us 
and working with us to protect customers.

Support: 

Microsoft Knowledge Base article Q300845 discusses this issue and 
will be available approximately 24 hours after the release of this 
bulletin. Knowledge Base articles can be found on the Microsoft 
Online Support web site. 

Technical support is available from Microsoft Product Support Services. 
There is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides 
additional information about security in Microsoft products. 

Disclaimer:
 
The information provided in the Microsoft Knowledge Base is provided 
"as is" without warranty of any kind. Microsoft disclaims all 
warranties, either express or implied, including the warranties 
of merchantability and fitness for a particular purpose. In no 
event shall Microsoft Corporation or its suppliers be liable for 
any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages 
so the foregoing limitation may not apply. 

Revisions: 

V1.0 (March 04, 2002): Bulletin Created. 

[***** End Microsoft Security Bulletin MS02-013 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Sun Microsystems, Inc. and 
Microsoft Corporation for the information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP
M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability
M-044: SQL Server Remote Data Source Function Contain Unchecked Buffers
M-045: Microsoft Incorrect VBScript Handling in IE
M-046: Red Hat "ncurses" Vulnerability
M-047: Oracle PL/SQL EXTPROC Database Vulnerability
M-048: Oracle 9iAS Default Configuration Vulnerability
M-049: Multiple PHP Vulnerabilities
M-050: Data Leak with Cisco Express Forwarding
M-051: Microsoft XMLHTTP Control Vulnerability




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH