microsoft.vm.java.txt

`  
  
Jan 28, 2000  
  
Translator's note:  
We announce another security hole of Microsoft Virtual Machine$B!!(B  
(Microsoft VM) for Java, including the latest version. This is the  
translation version of the warning note (written in Japanese) by Dr.  
Hiromitsu Takagi posted at the Java House Mailing List, a Japanese Java  
user discussion site (http://java-house.etl.go.jp/ml/ . Japanese fonts  
required to display). The finding is summarized after numerical tests  
and discussion among the members. Mr. Kensuke Tada originated the  
discussion. The translation is made available by Dr. Tomohira Tabata  
([email protected]) for his friends and others who may be benefit from  
the information. Please note that Dr. Tomohira Tabata has no  
responsibility on mistranslation on this document.  
  
The finding is:  
  
This security vulnerability allows a Java applet to read out any files  
on certain directories. A simple code attacks the security hole. Since  
a beginning Java programmer can exercise one, all users should be  
noted. Its vulnerability is quite dangerous and immediate de-activation  
of IE Java function provided by Microsoft is highly recommended;  
possibly changing to Netscape Navigator, Communicator or Sun Java  
Plug-in by the time Microsoft providing a "fix".  
  
The body of the warning note by Dr. Hiromitsu Takagi:  
----------------------------------------------------------------------------------------------------------  
  
This is a warning for all users of Microsoft Internet Explorer version 4  
and 5 (IE4, IE5) for Microsoft Windows95/98/NT.  
  
This security hole is closely CLASSPATH for Java users and especially for the Java Developer; the note  
is posted.  
  
  
Vulnerability  
-------------  
  
This security vulnerability allows a Java applet to read any "known  
files", which are common to most configuration. A hosted web site is  
able to retrieve file information through the applet code automaticallyspecific files which popular applications hold, and files with common  
names which users occasionally choose,  
This does not allow any change or deletion of local files. We still  
believe this vulnerability is quite dan  
Detail description  
------------------  
  
The readable directories and their sub directories could be limited,will be read,  
Except of Windows NT that is home directory of each user profile set.  
  
C:\Windows\desktoWe suspect this variation comes from the version of Microsoft VM for  
Java, not the version of IE.  
  
Unfortunately as a much serious case, if you set the environment  
variable CLASSPATH at C:\AUTOEXEC.BAT, the files and directories under  
the directories set in CLASSPATH are all readable.  
  
Java programmers should be aware of tfor their applications.  
  
  
How to be attacked  
------------------  
  
You may get attacked indeed just accessing   
When accessing the web site, the applet is downloaded and invoked on  
your computer, and then sends files on  
InputStream is = ClassLoader.getSystemResourceAsStream(filename);  
  
This single line makes an applet read an email.  
  
There would be already such an applet made by a malicious programmer,  
and placed on a web page in secret.  
  
  
Demonstration of attacking the security hole  
--------------------------------------------  
  
You can try a demonstration applet on the following URL, (don't worry,  
it just reads you back your e.g. autoexec.bwill see the content with specifying the file name with the directory  
name.   
  
When you receive the message "to read or find the specified file. However, this might means only that  
the applet searched the different d  
Work-around  
-----------  
  
Stop Microsoft's Java function until a patch provided.  
  
Instruction for IE4 users:  
  
Follow "View" menu, "Internet Options...", "Security" tab, "Custom (for  
expert users)", and "Setting..." bAlternative for utilizing Java:  
  
- Use Netscape Navigator or Communicator instead of IE.  
- Use Sun Java Plug-in for IE. See  
http://java.sun.com/products/plugin/index.html  
  
  
List of vulnerable applications with versiothe members  
------------------------------------------------------------------------------------  
  
Microsoft (R) VM for Java, 5.0 Release 5.0.0.3234 (the latest version,  
as of Jan 28, 2000) and earlier  
  
Note that no sNo. This is a simple mis-implementation (a bug) of Microsoft Java VM. It  
does NOT mean Java has a structural  
Motivation of this note  
-----------------------  
  
We are aware that full disclosure of security holes informpeople informed. After fighting this dilemma, we believe the benefit of  
users, such as awareness of existing(See the following URLs).  
http://www.news.com/News/Item/0,4,41084,00.html?feed.cnetbriefs  
http://news.cnet.c  
- This issue is already known by thousands of members of our mailing  
list. Even if we hid the code, anyone them to provide a patch immediately, and to announce it on media such as  
newspaper so that all of Windows us  
The following is the Microsoft's response;  
  
-- Due to development issue, we can not guarantee to fix it as From this answer, we could not be convinced if users get secured soon.  
In addition, they mentioned they coulthis issue to Java communities. (Translator's note: Dr. Takagi gave  
Microsoft Corp. in Japan a call on Jan 2Acknowledgement  
---------------  
  
This security hole is happened to be found when we discussed programming  
method to read files on Jar archives. As a start point, Mr. Tada  
reported his applet read files on Desktop unereport, Mr. Amemiya indicated it was a security hole. I, Dr. Takagi,  
reported readable directories were not   
  
Related articles  
----------------  
[j-h-b:30281] [j-h-b:30283] [j-h-b:30284] [j-h-b:30285] [j-h-b:30303]  
[j-h-b:30321] [j-h-b:30323] [j-h-b:30324] [j-h-b:30325] [j-h-b:30327]  
[j-h-b:30331] [j-h-b:30332] [j-h-b:30333] [j-h-b:30334] [j-h-b:30338]  
[j-h-b:30351] [j-h-b:30352] [j-h-b:30353] [j-h-b:30354] [j-h-b:30355]  
[j-h-b:3http://www.etl.go.jp/~takagi/  
  
  
  
  
Acknowledgement from translator  
-------------------------------  
  
I would like to thank Dr. Hiromitsu Takagi ([email protected]) and Mr.  
Ryoji Sumida ([email protected]) for kind helps.  
  
Tomohira Tabata ([email protected]), Ph.D., postgraduate research  
engineer,  
ECE UCSD, 9500 Gilman Drive, La Jolla, CA 92093-0407, USA  
`