For URGENT info and action.
Organization: Open Software Systems Group, DRA Malvern, UK
Subject: Another Java security bug - ALL JAVA BROWSERS (fwd)
Date: Tue, 04 Jun 1996 14:15:14 +0100
The following message outlines a security hole in all Java enabled web
browsers that will allow an attacker to bypass all Java security checks
and to run arbitrary code on the victims machine.
Workaround: Disable Java in your browser until fixed browsers are released.
For more information see:
N-115, Defence Research Agency, St Andrews Road, Great Malvern, England, UK
DISCLAIMER: I write only for myself, not for DRA. Phone: +44 1684 894644
------- Forwarded Message
Date: 02 Jun 1996 07:15:06 +0000
Subject: Another Java security bug
There is another serious security bug in the class loading code for all
currently available Java browsers:
Netscape up to and including versions 2.02 and 3.0beta4 (except for
Oracle PowerBrowser for Win32
'appletviewer' from the Java Development Kit, up to and including
Sun, Netscape, and Oracle have been sent details of the problem (which is
partly related to the ClassLoader attack found by Drew Dean et al in
March). The attack works by exploiting a design flaw in the mechanism that
separates JVM classes into different namespaces.
Using this bug, an attacker can bypass all of Java's security
restrictions. This includes executing native code on the client, with
the same permissions as the user of the browser. No preconditions are
necessary other than viewing the attacker's web page, and the process
can be made completely invisible to the victim.
The only way to avoid this problem at the moment is to disable Java. For
more information see
Further technical details will be posted when Sun, Netscape, and Oracle
- ------- end of forwarded message -------
------- End of Forwarded Message
John Newbury, Systems and Network Section Leader
Information Services, University of Birmingham
Tel 0121 414 4734, URL http://sun1.bham.ac.uk/J.P.Newbury/