Reposted from RISKS: Yet Another Java Security Hole: ------------------------------ Date: Sun, 2 Jun 1996 07:46:20 +0000 (BST) From: David Hopwood <david.hopwood@lady-margaret-hall.oxford.ac.uk> Subject: Another Java attack There is another serious security bug in the class loading code for all currently available Java browsers: Netscape up to versions 2.02 and 3.0beta4 (except Windows 3.x) Oracle PowerBrowser for Win32 HotJava 1.0beta 'appletviewer' from the Java Development Kit up to version 1.0.2 Sun, Netscape, and Oracle have been sent details of the problem (which is partly related to the ClassLoader attack found by Drew Dean, et al. in March). The attack works by exploiting a design flaw in the mechanism that separates JVM classes into different namespaces. Using this bug, an attacker can bypass all of Java's security restrictions. This includes reading and writing files, and executing native code on the client with the same permissions as the user of the browser. The only way to avoid this problem at the moment is to disable Java. For more details see http://ferret.lmh.ox.ac.uk/~david/java/bugs/ Technical details will be posted when Sun, Netscape, and Oracle release patches. David Hopwood david.hopwood@lmh.ox.ac.uk http://ferret.lmh.ox.ac.uk/~david/ ------------------------------ Date: Thu, 6 Jun 1996 14:15:46 -0700 From: mrm@doppio.Eng.Sun.COM (Marianne Mueller) Subject: Another Java attack David Hopwood, a Java researcher in the UK, has uncovered a new security bug in Java [RISKS-18.18]. In simple terms, he has been able to manipulate the way objects are assigned and the way they collaborate, in order to undermine the applet security manager. Hopwood contacted JavaSoft directly re: the bug, and we have had a team working on a fix for the past 72 hours. In addition, we are applying Hopwood's model to conduct a security review, to determine if there are other bugs that may apply. We are currently thoroughly testing the fix, and plan to release a patch as soon as possible. As we complete more testing of the fix, a more detailed description of the bug and the fix will be added to the JavaSoft security FAQ at http://java.sun.com/sfaq/. JavaSoft is grateful for the internet security community's active interest in reviewing our code and we welcome feedback that makes Java better technology. ------------------------------ ------------------------------------------------------------------------- Steven Weller | Technology (n): | | A substitute for adulthood. stevenw@best.com | Popular with middle-aged men.