A java vulnerability

A vulnerability recently reported in Sun's Java browser plugin could provide the basis for one of the first cross-platform exploits. The vulnerability allows a malicious program to break out of the Java security sandbox and perform any action that the browser user has permission to do. That could include destructive filesystem changes, network access, sending email, etc. A user with a Java enabled browser would only need to visit a website that has been crafted to exploit this vulnerability and would fall victim to whatever the malware author intended.

The Java sandbox is intended to restrict Java applets so that they can only access certain approved packages in the Java virtual machine, packages that do not access anything outside of the sandbox. The exploit works by using JavaScript to acquire a reference to packages outside of the approved list and then passing that reference to an applet, subverting the sandbox. Disabling either JavaScript or the Java plugin in the browser will protect users until they can upgrade.

The vulnerability was discovered by Jouko Pynnonen in April, was fixed by Sun in October and was announced last week. Java plugin versions 1.4.2_04 and 1.4.2_05 (and presumably earlier versions as well) were found to be vulnerable on both Linux and Windows. Sun has released version 1.4.2_06 that fixes the problem. For a company that touts the security features of its Java technology, as Sun does, 5-6 months between discovery and a fix for a critical security hole seems overly long.

This vulnerability is very different from others we have seen because it exploits a problem in a technology that is specifically focused on cross-platform support. The same Java Runtime Environment (JRE) code base runs on most modern operating systems and underlies the Java support in most browsers. A significant security breakdown in the JRE affects the vast majority of Java enabled browsers in the world, including Firefox, Mozilla, and Internet Explorer. According to this posting on the Full Disclosure mailing list, Opera allows access to the restricted packages in the default security configuration and no exploit is needed to subvert the sandbox.

There are additional concerns for Netscape and IE users because applets can request particular versions of the plugin and, if that version is still installed, the browser will use it. In some cases, if the version is not installed, the user will be prompted to download and install it. This could allow a malware author to ensure that his code is running on a vulnerable JRE.

Due to Sun licensing constraints, free and open source browsers and operating systems cannot bundle the JRE and cannot do an automatic security update of the JRE. Proprietary OS and browser vendors are in the same boat unless they have licensed the JRE from Sun. The end result is that most users will need to get the updated JRE from Sun directly. As many users are not particularly diligent about seeking out security upgrades, this could leave a significant number of systems unpatched and provide an opportunity for some kind of malware to exploit this hole.

Index entries for this article
GuestArticles	Edge, Jake

---

to post comments

A java vulnerability

Posted Dec 2, 2004 13:47 UTC (Thu) by hmh (subscriber, #3838) [Link] (3 responses)

Well, blackdown.org does support automatic security updating for the Debian packages (as long as you take care to update and upgrade from their repository). Likely something for rpm can be arranged as well.

Still non-free as heck, but hey, we did know what the deal with Java was all along, didn't we?

Outdated debian packages on blackdown?

Posted Dec 2, 2004 19:25 UTC (Thu) by fredrik (subscriber, #232) [Link] (2 responses)

I'm probably missing something, because when I browse blackdown's ftp mirrors I cannot find any debian packages more recent than 2003. Not even the change log from the most recent tar-package seems to reference any security fix. Are the blackdown developers really maintaining their ftp? And if not, are the debian packages maintained elsewhere?

Sofar, I have always pulled the official sun release, and built a java-dummy package. That has been the most predictable method for me to install java.

A pity that sun maintains a such obnoxious non-oss-approved license on their official SDK/JRE. They only shoot themselves in the foot by making it harder for both end users and developers to install and update.

Oh well, guess I'm preaching to the choir here anyway...

Debian repository of blackdown.org j2se packages

Posted Dec 2, 2004 20:22 UTC (Thu) by hmh (subscriber, #3838) [Link] (1 responses)

deb http://ftp.gwdg.de/pub/languages/java/linux/debian sid non-free

OR

deb http://ftp.gwdg.de/pub/languages/java/linux/debian sarge non-free

Debian repository of blackdown.org j2se packages

Posted Dec 3, 2004 9:01 UTC (Fri) by fredrik (subscriber, #232) [Link]

Ah, sweet!

I found the release notice and a reference to an official deb-archive[0] on blackdown. The notice also mentioned that their latest version, 1.4.2.01-1, fixes the vulnerability in CVE CAN-2004-1029.

Apparantly blackdown's version 1.4.2.01 is based on sun's 1.4.2_07pre code, and I must say, that version discrepancy is a bit unclear for a casual observer.

Anyway, off I go to add a new source for apt. Wee.

[0] http://blackdown.org/java-linux/java2-status/jdk1.4-statu...

What about the IBM JRE?

Posted Dec 3, 2004 0:33 UTC (Fri) by denials (subscriber, #3413) [Link]

The article doesn't mention whether the IBM SDK for Java on Linux is affected by the same security vulnerability; I tried looking at http://www.ibm.com/developerworks/java/jdk/linux140/ but their "Click here" download link appeared to be broken.

What about 1.5?

Posted Dec 4, 2004 14:05 UTC (Sat) by chloe_zen (guest, #8258) [Link] (1 responses)

I can't find any info on whether JRE (JDK?) 1.5 is also vulnerable.

What about 1.5?

Posted Dec 6, 2004 13:52 UTC (Mon) by Cato (guest, #7643) [Link]

The vulnerability is fixed in 1.5 - check Sun's site for the details.

A java vulnerability

Posted Dec 7, 2004 12:23 UTC (Tue) by eru (subscriber, #2753) [Link] (1 responses)

The end result is that most users will need to get the updated JRE from Sun directly.

Assuming they even can... In the past days I have tried to update the JRE package on a Windows 2000 box (yes,a bit offtopic for this forum, but illustrates an OS-independent risk, so bear with me). The default download click on Sun's site rushes me to a page where it congratulates me on having installed Java. Apparently it detects the JRE is installed and ignores my request to "update it, please", an installer bug. There is also a "manual installation" which always seems to hand like the server were too busy (everyone trying to update Java at the same time? Or then I have just been unlucky).

The risk I see here is that by keeping tight control on JDK distribution, Sun has made itself a bottleneck. They can handle normal traffic, but when a lot of users want to get an update within a short timeframe, things break down. Of course Microsoft has basically the same problem, and has had it for a long time, but apparently they have learned to handle it better.

Sun would do itself a big favour if it allowed all browser and OS distributors (even open source ones and including mirrors) to distribute the JRE and provide update services for it. The other alternative for Sun is to buy a lot more servers and bandwidth, which is more expensive...

A java vulnerability

Posted Dec 24, 2004 5:46 UTC (Fri) by barrygould (guest, #4774) [Link]

Same problem for me on XP and Win2k, even a week or two afterwards.

Also, the installer doesn't remove the offending version.