Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

BoS: Yet Another Java security bug

From: alanc () godzilla EECS Berkeley EDU (Alan Coopersmith)
Date: Mon, 3 Jun 1996 23:09:36 -0500

------- start of forwarded message -------
Path: 
agate!howland.reston.ans.net!vixen.cso.uiuc.edu!newsfeed.internetmci.com!hookup!usenet.eel.ufl.edu!bofh.dot!arclight.uoregon.edu!dispatch.news.demon.net!demon!sunsite.doc.ic.ac.uk!lyra.csx.cam.ac.uk!news.ox.ac.uk!sable.ox.ac.uk!lady0065
From: lady0065 () sable ox ac uk (David Hopwood)
Newsgroups: comp.lang.java,comp.security.misc,comp.security.unix
Subject: Another Java security bug
Date: 2 Jun 1996 07:15:06 GMT
Organization: Oxford University, England
Lines: 30
Sender: david.hopwood () lmh ox ac uk
Message-ID: <4orf1q$t6f () news ox ac uk>
NNTP-Posting-Host: sable.ox.ac.uk
Xref: agate comp.lang.java:55218 comp.security.misc:30533 comp.security.unix:29893

There is another serious security bug in the class loading code for all
currently available Java browsers:
    Netscape up to and including versions 2.02 and 3.0beta4 (except for
      Windows 3.x)
    Oracle PowerBrowser for Win32
    HotJava 1.0beta
    'appletviewer' from the Java Development Kit, up to and including
      version 1.0.2

Sun, Netscape, and Oracle have been sent details of the problem (which is
partly related to the ClassLoader attack found by Drew Dean et al in
March). The attack works by exploiting a design flaw in the mechanism that
separates JVM classes into different namespaces.

Using this bug, an attacker can bypass all of Java's security
restrictions. This includes executing native code on the client, with
the same permissions as the user of the browser. No preconditions are
necessary other than viewing the attacker's web page, and the process
can be made completely invisible to the victim.

The only way to avoid this problem at the moment is to disable Java. For
more information see
    http://ferret.lmh.ox.ac.uk/~david/java/bugs/

Further technical details will be posted when Sun, Netscape, and Oracle
release patches.

David Hopwood
david.hopwood () lmh ox ac uk
http://ferret.lmh.ox.ac.uk/~david/
------- end of forwarded message -------

--
________________________________________________________________________
Alan Coopersmith                        alanc () godzilla EECS Berkeley EDU
University of California, Berkeley           or: alanc () CSUA Berkeley EDU
Previous By Date Next
Previous By Thread Next

Current thread: