Date: Mon, 5 Apr 1999 08:56:10 -0400
From: Gary McGraw <gem@RSTCORP.COM>
To: BUGTRAQ@netspace.org
Subject: Security Hole in Java 2 (and JDK 1.1.x)

Hi all,

Karsten Sohr at the University of Marburg in Germany (email
sohr@mathematik.uni-marburg.de) has discovered a very serious security
flaw in several current versions of the Java Virtual Machine,
including Sun's JDK 1.1 and Java 2 (a.k.a. JDK 1.2), and Netscape's
Navigator 4.x.  (Microsoft's latest JVM is not vulnerable to this
attack.)  The flaw allows an attacker to create a booby-trapped Web
page, so that when a victim views the page, the attacker seizes
control of the victim's machine and can do whatever he wants,
including reading and deleting files, and snooping on any data and
activities on the victim's machine.

The flaw is in the "byte code verifier" component of the JVM.  Under
some circumstances the verifier fails to check all of the code that is
loaded into the JVM.  Exploiting the flaw allows the attacker to run
code that has not been verified.  This code can set up a type
confusion attack (see our book "Securing Java" for details
http://www.securingjava.com) which leads to a full-blown security
breach.

We have verified that the flaw exists and is serious.  Attack code (in
both applet and application form) has been developed in the lab to
exploit the flaw.  Sun and Netscape have been notified about the flaw
and they are working on a fix.

The attack we developed in the lab worked against the following platforms:
JDK 1.1.5 (Solaris)
JDK 1.2beta4 (Solaris)
JDK 1.1.6 (Solaris)
JDK 1.1.7 (FreeBSD)
JDK 1.2 (NT)
JDK 1.1.6 (NT)
Symantec Visual Cafe Version 3
Netscape 4.5 (FreeBSD)
Netscape 4.5 (NT)
Netscape 4.05 (NT)
Netscape 4.02 (Solaris)
Netscape 4.07 (Linux)

The attack did not work against:
Microsoft Visual J++ 6.0

Kudos to Viren Shah at RST for extensive platform testing.  Thanks for
your interest in mobile code security.

Dr. Gary McGraw                      Prof. Edward W. Felten
Reliable Software Technologies       Secure Internet Programming Lab
gem@rstcorp.com                      Dept. of Computer Science
                                     Princeton University
http://www.securingjava.com          felten@cs.princeton.edu

---------------------------------------------------------------------------

Date: Mon, 5 Apr 1999 11:13:16 -0700
From: d3l1r1um@gothlet.net
To: BUGTRAQ@netspace.org
Subject: Re: Security Hole in Java 2 (and JDK 1.1.x)

The following is the URL for a press release Sun issued about this:

http://java.sun.com/pr/1999/03/pr990329-01.html

It says the fix is in the works and will be available shortly, and
will be implemented in the next release(s) of the software (due in
April).

FYI.
d3l1r1um.