Gary McGraw posted to
BUGTRAQ:
Hi all,
Karsten Sohr at the University of Marburg in Germany (email
sohr@mathematik.uni-marburg.de) has discovered a very serious
security flaw in several current versions of the Java Virtual
Machine, including Sun’s JDK 1.1 and Java 2 (a.k.a. JDK 1.2), and
Netscape’s Navigator 4.x. (Microsoft’s latest JVM is not vulnerable
to this attack.) The flaw allows an attacker to create a
booby-trapped Web page, so that when a victim views the page, the
attacker seizes control of the victim’s machine and can do whatever
he wants, including reading and deleting files, and snooping on any
data and activities on the victim’s machine.
The flaw is in the “byte code verifier” component of the JVM.
Under some circumstances the verifier fails to check all of the
code that is loaded into the JVM. Exploiting the flaw allows the
attacker to run code that has not been verified. This code can set
up a type confusion attack (see our book “Securing Java” for
details http://www.securingjava.com)
which leads to a full-blown security breach.
We have verified that the flaw exists and is serious. Attack
code (in both applet and application form) has been developed in
the lab to exploit the flaw. Sun and Netscape have been notified
about the flaw and they are working on a fix.
The attack we developed in the lab worked against the following
platforms:
JDK 1.1.5 (Solaris)
JDK 1.2beta4 (Solaris)
JDK 1.1.6 (Solaris)
JDK 1.1.7 (FreeBSD)
JDK 1.2 (NT)
JDK 1.1.6 (NT)
Symantec Visual Cafe Version 3
Netscape 4.5 (FreeBSD)
Netscape 4.5 (NT)
Netscape 4.05 (NT)
Netscape 4.02 (Solaris)
Netscape 4.07 (Linux)
The attack did not work against:
Microsoft Visual J++ 6.0
Kudos to Viren Shah at RST for extensive platform testing.
Thanks for your interest in mobile code security.
Dr. Gary McGraw Prof. Edward W. Felten
Reliable Software Technologies Secure Internet Programming Lab
gem@rstcorp.com Dept. of Computer Science
Princeton University
http://www.securingjava.com felten@cs.princeton.edu