java.jvm.byte.code.ver.txt

1999-08-17T00:00:00
ID PACKETSTORM:12026
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Mon, 5 Apr 1999 08:56:10 -0400  
From: Gary McGraw <gem@RSTCORP.COM>  
To: BUGTRAQ@netspace.org  
Subject: Security Hole in Java 2 (and JDK 1.1.x)  
  
Hi all,  
  
Karsten Sohr at the University of Marburg in Germany (email  
sohr@mathematik.uni-marburg.de) has discovered a very serious security  
flaw in several current versions of the Java Virtual Machine,  
including Sun's JDK 1.1 and Java 2 (a.k.a. JDK 1.2), and Netscape's  
Navigator 4.x. (Microsoft's latest JVM is not vulnerable to this  
attack.) The flaw allows an attacker to create a booby-trapped Web  
page, so that when a victim views the page, the attacker seizes  
control of the victim's machine and can do whatever he wants,  
including reading and deleting files, and snooping on any data and  
activities on the victim's machine.  
  
The flaw is in the "byte code verifier" component of the JVM. Under  
some circumstances the verifier fails to check all of the code that is  
loaded into the JVM. Exploiting the flaw allows the attacker to run  
code that has not been verified. This code can set up a type  
confusion attack (see our book "Securing Java" for details  
http://www.securingjava.com) which leads to a full-blown security  
breach.  
  
We have verified that the flaw exists and is serious. Attack code (in  
both applet and application form) has been developed in the lab to  
exploit the flaw. Sun and Netscape have been notified about the flaw  
and they are working on a fix.  
  
The attack we developed in the lab worked against the following platforms:  
JDK 1.1.5 (Solaris)  
JDK 1.2beta4 (Solaris)  
JDK 1.1.6 (Solaris)  
JDK 1.1.7 (FreeBSD)  
JDK 1.2 (NT)  
JDK 1.1.6 (NT)  
Symantec Visual Cafe Version 3  
Netscape 4.5 (FreeBSD)  
Netscape 4.5 (NT)  
Netscape 4.05 (NT)  
Netscape 4.02 (Solaris)  
Netscape 4.07 (Linux)  
  
The attack did not work against:  
Microsoft Visual J++ 6.0  
  
Kudos to Viren Shah at RST for extensive platform testing. Thanks for  
your interest in mobile code security.  
  
Dr. Gary McGraw Prof. Edward W. Felten  
Reliable Software Technologies Secure Internet Programming Lab  
gem@rstcorp.com Dept. of Computer Science  
Princeton University  
http://www.securingjava.com felten@cs.princeton.edu  
  
---------------------------------------------------------------------------  
  
Date: Mon, 5 Apr 1999 11:13:16 -0700  
From: d3l1r1um@gothlet.net  
To: BUGTRAQ@netspace.org  
Subject: Re: Security Hole in Java 2 (and JDK 1.1.x)  
  
The following is the URL for a press release Sun issued about this:  
  
http://java.sun.com/pr/1999/03/pr990329-01.html  
  
It says the fix is in the works and will be available shortly, and  
will be implemented in the next release(s) of the software (due in  
April).  
  
FYI.  
d3l1r1um.  
  
`