(Fwd) Another Java security bug - ALL JAVA BROWSERS (fwd)

(Fwd) Another Java security bug - ALL JAVA BROWSERS (fwd)

Post by John Newbu » Wed, 05 Jun 1996 04:00:00

For URGENT info and action.

------- Forwarded Message Follows -------

Organization:  Open Software Systems Group, DRA Malvern, UK
Subject:       Another Java security bug - ALL JAVA BROWSERS (fwd)
Date:          Tue, 04 Jun 1996 14:15:14 +0100

The following message outlines a security hole in all Java enabled web
browsers that will allow an attacker to bypass all Java security checks
and to run arbitrary code on the victims machine.

Workaround: Disable Java in your browser until fixed browsers are released.

For more information see:



 N-115, Defence Research Agency,  St Andrews Road, Great Malvern, England, UK
 DISCLAIMER: I write only for myself, not for DRA.     Phone: +44 1684 894644
 +MIME+                                                                 +PGP+

------- Forwarded Message

Date:    02 Jun 1996 07:15:06 +0000
Subject: Another Java security bug

There is another serious security bug in the class loading code for all
currently available Java browsers:
    Netscape up to and including versions 2.02 and 3.0beta4 (except for
      Windows 3.x)
    Oracle PowerBrowser for Win32
    HotJava 1.0beta
    'appletviewer' from the Java Development Kit, up to and including
      version 1.0.2

Sun, Netscape, and Oracle have been sent details of the problem (which is
partly related to the ClassLoader attack found by Drew Dean et al in
March). The attack works by exploiting a design flaw in the mechanism that
separates JVM classes into different namespaces.

Using this bug, an attacker can bypass all of Java's security
restrictions. This includes executing native code on the client, with
the same permissions as the user of the browser. No preconditions are
necessary other than viewing the attacker's web page, and the process
can be made completely invisible to the victim.

The only way to avoid this problem at the moment is to disable Java. For
more information see

Further technical details will be posted when Sun, Netscape, and Oracle
release patches.

David Hopwood

- ------- end of forwarded message -------

- --

------- End of Forwarded Message

John Newbury,            Systems and Network Section Leader
Information Services,              University of Birmingham
Tel 0121 414 4734,  URL http://sun1.bham.ac.uk/J.P.Newbury/


1. Java, Java, Java, Java, Java, Java .....

In the systems being developed here, everything is coded in Java. There
are about 100 Java applications each running its own virtual machine.

I'm supposed to work with test and performance analysis of these systems
and I'm using tools that log system behaviour on process level.

The problem is that all I see is 100 processes named Java with some
small variations in command line parameters.

Is there a safe way to alter the process names either at startup or at
runtime ?
What could be the consequences of doing such a thing ?

//Hans Hagberg

2. Mgetty setup problem

3. cvs commit: ports/java Makefile ports/java/forte Makefile distinfo (fwd)

4. C++/Qt/Code Crusader

5. modprobe: can't locate module ppp-compress-21

6. Java Web Server/Hot Java browser???

7. PAM, Shadow Passwords, non-root users

8. Fwd: cvs commit: ports/Mk bsd.java.mk

9. java/jdk13 does not autodetect itself (fwd)

10. Fwd: cvs commit: ports/java/linux-sun-jdk12 Makefile distinfo pkg-plist

11. Fwd: cvs commit: ports/java/linux-sun-jdk14 Makefile

12. FWD: SuSE and TurboLinux Join Growing List of Linux Java Technology Distributors.