Jan 28, 2000

Translator's note:
We announce another security hole of Microsoft Virtual Machine$B!!(B
(Microsoft VM) for Java, including the latest version. This is the
translation version of the warning note (written in Japanese) by Dr.
Hiromitsu Takagi posted at the Java House Mailing List, a Japanese Java
user discussion site (http://java-house.etl.go.jp/ml/ . Japanese fonts
required to display).  The finding is summarized after numerical tests
and discussion among the members.  Mr. Kensuke Tada originated the
discussion.  The translation is made available by Dr. Tomohira Tabata
(ttabata@ucsd.edu) for his friends and others who may be benefit from
the information.   Please note that Dr. Tomohira Tabata has no
responsibility on mistranslation on this document.

The finding is:

This security vulnerability allows a Java applet to read out any files
on certain directories.  A simple code attacks the security hole.  Since
a beginning Java programmer can exercise one, all users should be
noted.  Its vulnerability is quite dangerous and immediate de-activation
of IE Java function provided by Microsoft is highly recommended;
possibly changing to Netscape Navigator, Communicator or Sun Java
Plug-in by the time Microsoft providing a "fix".

The body of the warning note by Dr. Hiromitsu Takagi:
----------------------------------------------------------------------------------------------------------

This is a warning for all users of Microsoft Internet Explorer version 4
and 5 (IE4, IE5) for Microsoft Windows95/98/NT.

This security hole is closely CLASSPATH for Java users and especially for the Java Developer; the note
is posted.


Vulnerability
-------------

This security vulnerability allows a Java applet to read any "known
files", which are common to most configuration.  A hosted web site is
able to retrieve file information through the applet code automaticallyspecific files which popular applications hold, and files with common
names which users occasionally choose,
This does not allow any change or deletion of local files. We still
believe this vulnerability is quite dan
Detail description
------------------

The readable directories and their sub directories could be limited,will be read,
   Except of Windows NT that is home directory of each user profile set.

   C:\Windows\desktoWe suspect this variation comes from the version of Microsoft VM for
Java, not the version of IE.

Unfortunately as a much serious case, if you set the environment
variable CLASSPATH at C:\AUTOEXEC.BAT, the files and directories under
the directories set in CLASSPATH are all readable.

Java programmers should be aware of tfor their applications.


How to be attacked
------------------

You may get attacked indeed just accessing 
When accessing the web site, the applet is downloaded and invoked on
your computer, and then sends files on
  InputStream is = ClassLoader.getSystemResourceAsStream(filename);

This single line makes an applet read an email.

There would be already such an applet made by a malicious programmer,
and placed on a web page in secret.


Demonstration of attacking the security hole
--------------------------------------------

You can try a demonstration applet on the following URL, (don't worry,
it just reads you back your e.g. autoexec.bwill see the content with specifying the file name with the directory
name. 

When you receive the message "to read or find the specified file.  However, this might means only that
the applet searched the different d
Work-around
-----------

Stop Microsoft's Java function until a patch provided.

Instruction for IE4 users:

Follow "View" menu, "Internet Options...", "Security" tab, "Custom (for
expert users)", and "Setting..." bAlternative for utilizing Java:

- Use Netscape Navigator or Communicator instead of IE.
- Use Sun Java Plug-in for IE. See
http://java.sun.com/products/plugin/index.html


List of vulnerable applications with versiothe members
------------------------------------------------------------------------------------

Microsoft (R) VM for Java, 5.0 Release 5.0.0.3234 (the latest version,
as of Jan 28, 2000) and earlier

Note that no sNo. This is a simple mis-implementation (a bug) of Microsoft Java VM. It
does NOT mean Java has a structural
Motivation of this note
-----------------------

We are aware that full disclosure of security holes informpeople informed. After fighting this dilemma, we believe the benefit of
users, such as awareness of existing(See the following URLs).
http://www.news.com/News/Item/0,4,41084,00.html?feed.cnetbriefs
http://news.cnet.c
- This issue is already known by thousands of members of our mailing
list. Even if we hid the code, anyone them to provide a patch immediately, and to announce it on media such as
newspaper so that all of Windows us
The following is the Microsoft's response;

-- Due to development issue, we can not guarantee to fix it as From this answer, we could not be convinced if users get secured soon.
In addition, they mentioned they coulthis issue to Java communities. (Translator's note: Dr. Takagi gave
Microsoft Corp. in Japan a call on Jan 2Acknowledgement
---------------

This security hole is happened to be found when we discussed programming
method to read files on Jar archives. As a start point, Mr. Tada
reported his applet read files on Desktop unereport, Mr. Amemiya indicated it was a security hole. I, Dr. Takagi,
reported readable directories were not 

Related articles
----------------
[j-h-b:30281] [j-h-b:30283] [j-h-b:30284] [j-h-b:30285] [j-h-b:30303]
[j-h-b:30321] [j-h-b:30323] [j-h-b:30324] [j-h-b:30325] [j-h-b:30327]
[j-h-b:30331] [j-h-b:30332] [j-h-b:30333] [j-h-b:30334] [j-h-b:30338]
[j-h-b:30351] [j-h-b:30352] [j-h-b:30353] [j-h-b:30354] [j-h-b:30355]
[j-h-b:3http://www.etl.go.jp/~takagi/




Acknowledgement from translator
-------------------------------

I would like to thank Dr. Hiromitsu Takagi (takagi@etl.go.jp) and Mr.
Ryoji Sumida (ryo@idt.net) for kind helps.

Tomohira Tabata (ttabata@ucsd.edu), Ph.D., postgraduate research
engineer,
ECE UCSD, 9500 Gilman Drive, La Jolla, CA 92093-0407, USA