COMMAND
java
SYSTEMS AFFECTED
Java 2 (and JDK 1.1.x)
PROBLEM
Karsten Sohr at the University of Marburg in Germany has
discovered a very serious security flaw in several current
versions of the Java Virtual Machine, including Sun's JDK 1.1 and
Java 2 (a.k.a. JDK 1.2), and Netscape's Navigator 4.x.
(Microsoft's latest JVM is not vulnerable to this attack). The
flaw allows an attacker to create a booby-trapped Web page, so
that when a victim views the page, the attacker seizes control of
the victim's machine and can do whatever he wants, including
reading and deleting files, and snooping on any data and
activities on the victim's machine.
The flaw is in the "byte code verifier" component of the JVM.
Under some circumstances the verifier fails to check all of the
code that is loaded into the JVM. Exploiting the flaw allows the
attacker to run code that has not been verified. This code can
set up a type confusion attack (see book "Securing Java" for
details http://www.securingjava.com) which leads to a full-blown
security breach. Attack code (in both applet and application
form) has been developed in the lab to exploit the flaw. Sun and
Netscape have been notified about the flaw and they are working on
a fix. The attack developed in the lab worked against the
following platforms:
JDK 1.1.5 (Solaris)
JDK 1.2beta4 (Solaris)
JDK 1.1.6 (Solaris)
JDK 1.1.7 (FreeBSD)
JDK 1.2 (NT)
JDK 1.1.6 (NT)
Symantec Visual Cafe Version 3
Netscape 4.5 (FreeBSD)
Netscape 4.5 (NT)
Netscape 4.05 (NT)
Netscape 4.02 (Solaris)
Netscape 4.07 (Linux)
The attack did not work against:
Microsoft Visual J++ 6.0
SOLUTION
The following is the URL for a press release Sun issued about
this:
http://java.sun.com/pr/1999/03/pr990329-01.html
It says the fix is in the works and will be available shortly, and
will be implemented in the next release(s) of the software (due in
April).