Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Java Programming IT

Cross-Platform Java Sandbox Exploit 382

Posted by timothy
from the suck dept.
DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.
This discussion has been archived. No new comments can be posted.

Cross-Platform Java Sandbox Exploit

Comments Filter:
  • by johnhennessy (94737) on Wednesday November 24, 2004 @08:33AM (#10908312)

    I think this tries to highlight another reason why allowing a third party review your code is a good thing

    Generally, the most cost effective way can be an open source model.(there are others !)

  • by Cyphus (818873) on Wednesday November 24, 2004 @08:38AM (#10908340)
    Its the browser-based sandbox that's the culprit here, not Java. Saying its a problem with Java, is like saying an IE exploit is a problem with HTML.
    • by jeif1k (809151) on Wednesday November 24, 2004 @08:59AM (#10908461)
      Browsers aren't responsible for sandboxing plugins--in fact, they couldn't do it if they wanted to. Sandboxing is exclusively a function of the language and its runtime, in this case Java. If Sun's Java plugin allows the execution of dangerous code by untrusted code, it is Sun's fault. Note also that this is not the first time that this has happened.

      Fortunately, the solution is simple: just turn off Java applets in your browser. These days, you won't be missing anything important on the web by doing so.
      • I agree with you, browsers aren't responsible for the sandboxing, and it is Sun's fault for having a buggy plugin. But sandboxing is not a function of the language - it is solely a function of the runtime. I could use a different runtime with the same compiled Java code and not have the problem. Therefore its not a problem with the language.
        • Java == Platform (Score:3, Insightful)

          by bheer (633842)
          > But sandboxing is not a function of the language - it is solely a function of the runtime.

          Pedant alert. In this case, ignorant pedant alert. the runtime is the Sun(R) Java(tm) Runtime Environment(tm), and Sun has lawyers who will do bad things to you if you claim the Java moniker does not apply to the JRE (which includes plugins for several popular browsers). Cue "Java is a platform" blather from Sun execs.

          In this case, they are simply being hoisted on their own petard. It is a bug in Java. The Platf
          • Re:Java == Platform (Score:3, Informative)

            by tolan-b (230077)
            Yes, it's a vulnerability in the Sun implementation of the Java platform, but not Java the language or the Java platform generally.

            There are other Java runtimes, which are allowed to use the name Java because they pass the conformance tests (such as IBM's Java runtime), they would not be vulnerable to this exploit.
      • You were comparing references (memory addresses) instead of actual values. I think you should have used:

        Java.equals(JavaSandbox)

        instead. It's a common mistake, don't sweat it.
    • Its the browser-based sandbox that's the culprit here, not Java. Saying its a problem with Java, is like saying an IE exploit is a problem with HTML.

      I believe this is completely wrong. First, if the problem were in the browser and not Java, how did Sun fix it on 2 different operating systems and there was not mention of a specific browser.

      Also, AFAIK, the Java plugin does have a sandbox which prevents Java toys from doing things like accessing local files, etc. It takes a trusted and signed applet and
  • Opera not affected (Score:3, Informative)

    by TheJavaGuy (725547) on Wednesday November 24, 2004 @08:40AM (#10908353) Homepage
    This bug affected IE and Firefox, but not the Opera Browser [opera.com].
  • by fforw (116415) on Wednesday November 24, 2004 @08:40AM (#10908356) Homepage
    This only affects the Java plugins in the 1.3 and 1.4 Java release. The current java release 1.5/5.0 is not affected at all.

    And it's a java plugin vulnerability so a website running java on the serverside is not affected.

  • by Xpilot (117961) on Wednesday November 24, 2004 @08:43AM (#10908371) Homepage
    From the Sun website:

    "...through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet."

    A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.

    • Unfortunately I see an astounding number of people log in to irc channels and they are running linux as root. Of course it serves them right if their system gets fscked because of it.
    • A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.

      BFD. Most machines that are used for surfing the web are single user machines and having that users stuff trashed is the same as trashing the whole machine.
    • A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.

      That is absolute misinformation. How are the two any different?

      I run as root and as Administrator because i'm too lazy to set up actual, proper permissions and accounts. That doesn't mean that I couldn't, just that I do

      • I run as root and as Administrator because i'm too lazy to set up actual, proper permissions and accounts. That doesn't mean that I couldn't, just that I don't.

        This will change when you get a job. I recommend breaking this habit soon.

      • The difference is that running as a non-admin on Windows is a huge pain, as many programs don't play nicely with non-admin accounts. Windows has a huge legacy of "one user per machine" thinking in its applications development history.

        That means that many apps will not run well under non-admin accounts on Windows. Try it sometime and see. Talk to any tech-support person and ask what fraction of calls they get due to people trying to run under non-admin accounts (there's been a spate of this lately as fol
  • by scatter_gather (649698) on Wednesday November 24, 2004 @08:45AM (#10908376)
    Write once, exploit everywhere!
    :)
  • by mrchaotica (681592) on Wednesday November 24, 2004 @08:53AM (#10908417)
    Is the Java that comes on Macs exploitable by this too? (Maybe not, since Apple might have changed something, but I don't know)

    Also, what about BSD?
    • Mac (Score:4, Informative)

      by JavaLord (680960) on Wednesday November 24, 2004 @11:44AM (#10909785) Journal
      I tested my PC, which the sample code worked on, but it didn't seem to work on my mac which runs OSX 10.3.6 in safari or firefox. Safari comes back with a "Class undefined" and firefox just seems to ignore the javascript alert at the end.

      Anyone else try this on the mac and have similar results?
  • The nice thing is, is that if you are using Linux, Java is most likely running as root, and therefore less likely to mess around with your OS, Or files which that user does not have access to. Therefore, it's probably hard to get something into a startup script, and to create a virus that would be around after you rebooted the computer.
    • Looks like you left out the word not:

      The nice thing is, is that if you are using Linux, Java is most likely not running as root, and therefore less likely to mess around with your OS, Or files which that user does not have access to. Therefore, it's probably hard to get something into a startup script, and to create a virus that would be around after you rebooted the computer.

      :)

  • by Anonymous Coward on Wednesday November 24, 2004 @08:56AM (#10908443)
    From the horses mouth right here [jouko.iki.fi]. The issue is actually with the plug-in, not Java itself. In brief, you can load a Java class in an applet via JavaScript using getClass().forName() and use that reference to make calls outside the confines of the sandbox.
  • by jeif1k (809151) on Wednesday November 24, 2004 @08:56AM (#10908444)
    The "sandbox" that cordons off Java applets from the rest of the system has typically worked well.

    When Java first came out, people found lots of security problems with its sandbox; there were both fundamental flaws in Java's type system and problems in Sun's implementation. That aspect of Java was subject to intense scrutiny back then because Sun had positioned Java as a new way of delivering client applications, which depended critically on sandboxing. The vision was that Java would replace heavy desktop apps.

    These days, it doesn't matter much anymore: Java has failed to achieve its goals on the client; you can browse perfectly fine with applets disabled and never even notice. And for Java's current server side uses, sandboxing isn't really that important. So, people stopped finding flaws in Java's sandbox because they stopped looking--it just doesn't matter to anyone anymore.

    I think Java's original vision of a thin client platform for high-quality applications delivered through the Internet is still relevant, but Java won't be able to fulfill it anymore: it has become too bloated and too complex. More likely, that niche will be filled by an updated version of Flash (yuck), XUL, or, perhaps, something entirely new.
  • No patch (Score:3, Interesting)

    by roman_mir (125474) on Wednesday November 24, 2004 @08:57AM (#10908452) Homepage Journal
    There is no patch, there is only the next release of the JRE, why is that? Wouldn't it make more sense to also release an executable patch rather than forcing a 14MB download (not that I care, I download it at 400KB/s?)
    • No, it wouldn't. People could be running any mix of old Java runtimes. A full release is the only goof-proof way of ensuring that the fixed version is correctly deployed.
      • So? As if it is impossible to build a patch that detects what you are running and update what is necessary... these are computers after all, they can do that.

        • Yes, but there are still people out there running JVM 1.3.x. I suspect a universal patch would be larger than the 14MB full install.
          • Doubt that very very much. Besides, the binary identifier only needs to point to the correct patch.
            Whatever, it's not my bandwidth.

            • Yes, right, and download that way for corporate deployment? Or multiple home machines? I for one would prefer full releases over patches for most products. In the old days, Veritas used to release fully patched builds of Backup Exec on a regular basis. It made a sysadmin's job so much easier not having to chase after a handful of patches every time a new (licensed) copy was deployed. Patches bad, full releases good ;-)
  • by bratboy (649043) on Wednesday November 24, 2004 @08:59AM (#10908459) Homepage
    I'm sorry, but the comments here are getting a little absurd. The Java sandbox has had how many security exploits discovered in the eight or nine years it's been around? Perhaps there have been a couple, but I can't remember any. And now, a flaw is discovered by an independent researcher, a patch quickly released, and the bug made public only after a significant amount of time has passed for people to upgrade, and before an exploit appears - and you're complaining because ...? Oh right, because Java isn't open source.

    Open source, although a wonderful thing which should be given away at school bake sales, church meetings, and nascar rallies, is not a silver bullet. Case in point - the Firefox browser (which I use and love) has already had several security flaws (e.g. the same JPG flaw as IE) for which exploits have been released. The major reason we don't see more is *not* because it's so much more robust [enterpriseitplanet.com] - it's because it still doesn't have the visibility and marketshare of IE, not to mention the raw hatred of ubergeeks around the world. I know, I know - the marketshare is going up, and as a faithful user I'm honestly torn. I'd love for it to be successful, and for Microsoft to have some kind of competition, but for now, Firefox is pretty safe. Give it the marketshare, and watch all those 2600-loving eyes start reappraising their goals.

    daniel

    • The Java sandbox has had how many security exploits discovered in the eight or nine years it's been around? Perhaps there have been a couple, but I can't remember any.

      The Java sandbox has had lots of security exploits over the years. I suspect the main reason people stopped discovering them is because Sun pretty much destroyed Java for applet use.

      and you're complaining because ...? Oh right, because Java isn't open source.

      Indirectly, yes. Sun has lost its focus on a thin client platform and instead
    • Oh right, because Java isn't open source.

      Well...less whiners soon since Java is going to be open-sourced [zdnet.com.au].

    • "security flaws (e.g. the same JPG flaw as IE) "
      Ummm that was a security flaw in GDIplus.dll That was by all standards an OS level bug and one that can be laid right at the feet of microsoft. I have seen the phishing exploit which seems like more of an abuse of tabs. And everything has to set up just so for it to work. Overall I would say that FireFox/Thunderbird are safer not just because of the lack of hacker mindshare but because they do not bury there hooks so deep in the OS as does IE and Outlook. Micr

  • The linked notice sez the bug is patched in 1.4.2_06, but the web site and java auto-update both say the 1.4.2_05 I have now is the latest.

    Does anyone out there have _06 yet or is this another case of premature press-releasination?
  • Okay, I'm a doofus.

    To fix this vulnerability, you have to go to

    http://java.sun.com/j2se/1.5.0/download.jsp [sun.com]

    and download the J2SE 5.0 JRE, right?

    (Yeah, yeah, I know, and then install it.)
    • by prandal (87280)
      You go to www.java.com, upgrade from 1.4.2_03 to 1.4.2_05 and think you're safe, until one day, BOOM!

      WAKE UP SUN!
    • Sun's Installer will happily leave your old copy on, so uninstall first. If you're using the Java 3D addon, you'll need to uninstall that and the old Java first. Then install jre 1.5.0 and Java 3D. Then all works happily.
  • The new JDK/JRE is "safe"... I've heard they're faster, too, with some JRE improvements. I just downloaded the whole 1.5 set, and I'm pretty excited, looking forward to it... I install it on my Slackware instance tonight!

    If I had a girlfriend, I'd invite her to hang out and share the joy; this'd be way better than a movie as a date... Um... Maybe I should get out more, now that I think about it...
  • My browser is opera on linux so obviously I am vulnarable. So I checked my preferences and I not only haven't got it enabled. It doesn't even have the link to where it can find java.

    Not so long ago (for someone my age. For some /. it may be half a life time ago) java web applets were everywhere. Has this now been replaced with flash or have webdesigners decided they didn't need what java can do or am I visiting the wrong pages?

    Not I am not talking about web applications here but java applets that things l

  • On my development workstation I am reporting back JRE 1.4.2_02 but my MSIE plug-in reports it's running the Microsoft JVM 1.1.4. My corporate workstations can be upgraded to JRE 1.4.2_06 without a hitch. But then again I would really rather patch the Microsoft JVM since most of the standard workstations don't have (or need) the entire Sun JRE installed on them.

    I know that Microsoft won't release a patch for their JVM. That means I will have to deploy the entire Sun JRE on all worsktations and then deploy s
  • Unix Viruses ? (Score:3, Interesting)

    by anux (834169) on Wednesday November 24, 2004 @10:05AM (#10908999)
    I have always found the idea of viruses on Unix amusing. I mean, any user can cause damage to his/her files, either manually or by running a script or binary. But this is not an "infection" as the system is left completely untouched. What worries me though is the way the news sites report "Linux viruses". Someone unfamiliar with Linux/Unix might think: "Oh! So Unix also has viruses, just like Windows." This I think is giving a completely wrong impression about Unix to such people.
  • by freelunch (258011) on Wednesday November 24, 2004 @10:09AM (#10909033)
    Browsers should allow you to configure java and javascript on a per site basis. Much like you can allow pop-ups from certain sites.

    I prefer to have javascript off all the time.

    Being able to selectively enable them for certain sites would be nice and would improve security.

  • by hkb (777908) on Wednesday November 24, 2004 @11:21AM (#10909604)
    4 months is quick? Boy, I'm sure glad there's such a large anti-full disclosure mentality going around lately. Now, vendors don't have to secure their vulnerabilities in a timely manner!

    1. Get notified about a serious security flaw
    2. ....
    3. Release a patch a quarter of a year later
    4. Profit!
  • by BovineOne (119507) <bovine@distribu[ ].net ['ted' in gap]> on Wednesday November 24, 2004 @01:00PM (#10910585) Homepage Journal
    "found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday."

    But according to the Bugtraq posting [neohapsis.com] Sun Microsystems was informed on April 29, 2004.
  • by yoDon (123073) on Wednesday November 24, 2004 @01:04PM (#10910625)
    Only on slashdot would a comment that this exploit is "Not that critical" receive a "Score:4, Insightful" rating.

    Last night, while sitting at my machine, I noticed a Java icon appear in my taskbar. "That's wierd," I thought, "I'm not doing anything or hitting any pages that should need the JRE." Since I don't use the JRE much anymore (I installed it while testing a java-based web server) I went to "Add/Remove Programs" and uninstalled j2re-1.4.2_05.

    Too late. This morning I browsed to Slashdot and saw the parent article telling me why the Java icon had popped up.

    Whatever payload the thing delivered appears to have punched a hole in Norton AntiVirus (the Norton Firewall console is reporting that Norton AntiVirus requires "Urgent Attention" but the annunciator on the AntiVirus tab appears to have been disabled in an effort to hide whatever was done to the AntiVirus). It may also have installed the bat/mumu-a worm (one spyware scanner is reporting an infection by the worm, but Symmantec's bat/mumu-a removal tool reports the machine is clean).

    Once a drive has been compromised by something more complicated than a simple virus, there's no way you can ever trust the machine again because there is no way to know what sort of rootkit the exploit delivered.

    I've already disconnected the machine from my network and picked up a new hard drive. The old hard drives will go into an external drive housing that I'll only connect to the machine (a) after I have antivirus software reinstalled and (b) only if I absolutely have to pull data from the drive.

    "Not that critical" hah! This is by far the most serious attack I've ever been hit with, and I downloaded j2re-1.4.2_05 at most two months ago (elsewhere in the comments someone is reporting that j2re-1.4.2_05 is still available for download from sun.com, I can't confirm that but this is hardly an antiquated version).

    There goes my day...

    -Don

"Why should we subsidize intellectual curiosity?" -Ronald Reagan

Working...