Bugtraq mailing list archives
Re: Reappearance of an old IE security bug
From: takagi () ETL GO JP (TAKAGI, Hiromitsu)
Date: Sat, 13 May 2000 08:38:06 +0900
On Sun, 16 Apr 2000 17:09:04 -0600 Ben Mesander <bam () DIMENSIONAL COM> wrote:
I have found a way to have a Java applet open a connection to an arbitrary host and violate the Java security model in Internet Explorer 5. This is a bug I first discovered in 1997, and Microsoft fixed it then. It seems to have reappeared in the latest IE 5. http://www.hungry.com/~ben/msie_bug/
I have confirmed this on the following combinations; Mac OS + MRJ 2.2 + IE 5 Mac OS + Microsoft VM + IE 4.5 and that the followings are not vulnerable. Mac OS + MRJ 2.1.4 + IE 5 Mac OS + MRJ 2.1.4 + IE 4.5 Mac OS + MRJ 2.2 + IE 4.5 You mentioned that it is a getImage bug. But I suspected that it might be a java.net.URLConnection bug because getImage seems to be implemented with URLConnection. I confirmed this with the following applet. http://java-house.etl.go.jp/~takagi/java/test/urlconnection-http-redirect/Test.html The result shows that the followings are vulnerable. Vulnerable: Mac OS + MRJ 2.2 + IE 5 Mac OS + Microsoft VM + IE 4.5 Mac OS + MRJ 2.1.4 + IE 5 Mac OS + MRJ 2.1.4 + IE 4.5 Not vulnerable: Mac OS + MRJ 2.2 + IE 4.5 (I don't understand why URLConnection is more widely vulnerable than getImage.) The problem has become very serious because URLConnection can access to any type of data not only image. In addition to above, I accidentally found that URLConnection is still vulnerable without http-redirection technique. http://java-house.etl.go.jp/~takagi/java/test/urlconnection-direct/Test.html Vulnerable: Mac OS + MRJ 2.2 + IE 5 Mac OS + MRJ 2.1.4 + IE 5 Mac OS + MRJ 2.1.4 + IE 4.5 Not vulnerable: Mac OS + Microsoft VM + IE 4.5 Mac OS + MRJ 2.2 + IE 4.5 This simple bug seems to be the root of the problem of MRJ (except Microsoft VM). I asked the members of "Java House" (a mailing list for discussion about Java in Japanese I preside) to confirm these vulnerabilities in various combinations of version of MRJ and Java-enabled browsers. The following table is the summary of the investigation. (1) http://neurosis.hungry.com/~ben/msie_bug/ (2) http://java-house.etl.go.jp/~takagi/java/test/urlconnection-http-redirect/Test.html (3) http://java-house.etl.go.jp/~takagi/java/test/urlconnection-direct/Test.html (1) (2) (3) MacOS + MRJ 2.2 + IE 5 V V V MacOS + MRJ 2.2 + IE 4.5 NV NV NV MacOS + MRJ 2.2 + IE 4.01 NV NV NV MacOS + MRJ 2.2 + iCab pre2.0 NV NV NV MacOS + MRJ 2.2 + HotJava 3.0 NV NV NV MacOS + MRJ 2.2 + Apple Applet Runner NV NV NV MacOS + MRJ 2.1.4 + IE 5 NV V V MacOS + MRJ 2.1.4 + IE 4.5 NV V V MacOS + MRJ 2.1.4 + iCab pre2.0 NV V V MacOS + MRJ 2.1.4 + HotJava 3.0 NV NV NV MacOS + MRJ 2.1.4 + Apple Applet Runner NV V V MacOS + MRJ 2.1.1 + IE 5 NV V V MacOS + MRJ 2.1.1 + IE 4.5 NV V V MacOS + MRJ 2.1.1 + IE 4.01 NV V V MacOS + MRJ 2.1.1 + iCab pre2.0 NV V V MacOS + MRJ 2.1.1 + HotJava 3.0 NV NV NV MacOS + MRJ 2.1.1 + Apple Applet Runner NV V V MacOS + MRJ 2.0 + IE 4.5 NV V V MacOS + MRJ 2.0 + Apple Applet Runner NV V V MacOS + Microsoft VM for Java + IE 4.5 V V NV MacOS + Microsoft VM for Java + IE 4.01 V V NV (V: Vulnerable, NV: Not vulnerable) I submitted this result to Microsoft and Apple Computer last week. The response from Microsoft Security Response Center was: | > > I've checked with the IE team, but it turns out that we no longer | > > support Mac IE; instead, we have collaborated with Apple on their Java | > > runtime and recommend that customers use it instead of Mac IE. | > > There's some information on this available at | > > http://www.microsoft.com/MAC/IE/Newsroom/IE45Press/2.asp, but I've also | > > asked our product support folks to put together a Knowledge Base article | > > that makes the recommendation explicit. Regards, | > | > Does it mean that you will not announce it at the Security Bulletin? | | Yes, that is correct. While there won't be a bulletin, the knowledge | base article will be available for anyone that is concerned with this | subject. I worry that people who doesn't know about existence of this problem could not find their knowledge base article. Apple Computer seems not to have a response center dedicated for security issue, so I contacted an engineer of MRJ and reported it. He said that the problems has been submitted their internal bug database. Regards, -- Hiromitsu Takagi http://www.etl.go.jp/~takagi/
Current thread:
- Re: Reappearance of an old IE security bug TAKAGI, Hiromitsu (May 12)