NASIRC BULLETIN B-96-24 June 10, 1996
JAVA Class Loader Hole Recently Discovered
===========================================================
NASA Automated Systems Incident Response Capability
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/\ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
Serving NASA and the International Aerospace Communities
===========================================================
This bulletin reports a recently announced security vulner-
ability. It may contain a workaround or software
patch. Bulletins should be considered urgent as vulnera-
bility information is likely to be widely known by the time
a patch is issued or other solutions are developed.
===========================================================
NASIRC has recently received new information about another attack
method using the class loader of Java. This attack enables
execution of native machine instructions with Java capable
browsers. This discovery expands the scope of vulnerable systems
initially identified for Netscape Version 2.02 browsers, reported
in NASIRC Bulletin B-96-11-C.
PROBLEM DESCRIPTION
Attacks on the class loader allow running native code in current
Java implementations. Running native code allows machine
specific instructions to be executed by the delivered applet.
This presents a problem since an attack was successful in
deleting files. An exploit has been written for Appletviewer and
HotJava; versions for Netscape and Oracle PowerBrowser are also
possible, although more difficult.
SYSTEMS AFFECTED
The native code vulnerability applies to currently available Java
capable browsers.
The following systems are known to be vulnerable to the new
attack:
* Netscape up to and including Versions 2.02 and 3.0beta4
(except Windows 3.x).
* Oracle PowerBrowser for Win32.
* HotJava 1.0 beta.
* "appletviewer" from Java Development Kit, up to and
including Version 1.0.2.
RECOMMENDED ACTION
NASIRC reiterates its recommendation to use all Internet browsers
with all Java and JavaScript features disabled. If the known
host is a trusted site, then enabling Java or JavaScript after
the initial page is displayed and then using the "reload" option
to invoke Java or JavaScript is a safer approach. Before leaving
a trusted page, the Java and JavaScript features should again be
disabled.
Technical Paper about Java Security
Drew Dean, Edward Felten, and Dan Wallach, Department of Computer
Science, Princeton University, have written a paper, "Java
Security: From HotJava to Netscape and Beyond," presented at the
IEEE Symposium on Security and Privacy on Oakland, California, on
May 6-8, 1996.
This paper gives a technical description of the weaknesses that
exist in the security methods used to build Java and that can be
obtained from the following site.
http://www.cs.princeton.edu/sip/pub/secure96.html
The conclusion is as follows:
"6. Conclusion
Java is an interesting new programming language
designed to support the safe execution of applets
on Web pages. We and others have demonstrated an
array of attacks that allow the security of both
HotJava and Netscape to be compromised. While many
of the specific flaws have been patched, the
overall structure of the systems leads us to believe
that flaws will continue to be found. The absence of
a well-defined, formal security policy prevents the
verification of an implementation.
We conclude that the Java system in its current form
cannot easily be made secure. Significant redesign of
the language, the bytecode format, and the runtime
system appear to be necessary steps toward building a
higher-assurance system. Without a formal basis,
statements about a systems security cannot be
definitive.
The presence of flaws in Java does not imply that
competing systems are more secure. We conjecture that
if the same level of scrutiny had been
applied to competing systems, the results would have
been similar. Execution of remotely-loaded code is
a relatively new phenomenon, and more work is required
to make it safe."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ACKNOWLEDGMENTS: Fred Blonder of NASIRC for identifying
this information, Alan Coopersmith of UC Berkeley
for submitting this to
best-of-security@suburbia.net, and David Hopwood
of Oxford University, England, for maintaining a
Web site of Netscape vulnerability information.
Drew Dean, Edward Felten, and Dan Wallach,
Department of Computer Science, Princeton
University, for publishing "Java Security: From
HotJava to Netscape and Beyond."
BULLETIN AUTHOR: Jordan Gottlieb
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This advisory may be forwarded without restriction. Persons
within the NASA community or operating in support of a NASA
contract may contact NASIRC with any questions about this
advisory.
Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853
International: +1-301-441-4398 STU III: 1-301-982-5480
Internet E-Mail: nasirc@nasa.gov
24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
WWW: http://nasirc.nasa.gov/NASIRC_home.html
FTP: nasirc.nasa.gov, login "anonymous"
Anyone requiring assistance or wishing to report a security
incident but not operating in support of NASA may contact the
Forum of Incident Response and Security Teams (FIRST), an
international organization of incident response teams, to
determine the appropriate team. A list of FIRST member
organizations and their constituencies may be obtained by
sending E-mail to "docserver@first.org" with an empty "subject"
line and a message body containing the line "send first-contacts"
or via WWW at http://www.first.org/ .
-------------------------------------------------------------
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
