Another Java Security Hole in Windows

tanveer1979 writes: "An article in The Times of India reports that Sun and Miscrosoft have released a joint bulletin about a security hole in the JVM code."

What will J Bloggs see?

[tunah]

J Bloggs (if he sees this at all) will just see 'java bad'.

Why link to newspapers for this sort of thing?

[Account 10]

The full details are in the security bulletin [microsoft.com] and this includes the technical details that us /. readers like.

Re:Why link to newspapers for this sort of thing?

[Account 10]

Sun's part of the joint release [sun.com] includes the Netscape versions affected

The full and custom installations of Netscape 6.1, 6.0.1, and 6.0
are affected since they include an affected version of the
Java Runtime Environment. The default Java runtime environments of
Netscape(TM) Communicator version 4.79 and earlier are affected.

Not a security vulnerablilty...

[tiny69]

at least according to MS. From an email sent to BUGTRAQ regarding this problem:

-= VENDOR INFORMATION =-

Microsoft was informed about this issue on Feb 8 2002. After some mail exchaning between Microsoft Security Response Center and I, Microsoft finally stated this:

In terms of the definition of a security vulnerability which we discuss at http://www.microsoft.com/technet/treeview/default. asp?url=/TechNet/colum ns/security/vulnrbl.asp crashing a browser would not be regarded as a security vulnerability.

Sun and Microsoft and DOJ announce exploit in JVM

[spike666]

In a rare press conference featuring Sun Microsystems, Microsoft and the Department of Justice, a exploit was found regarding usage of the Java Virtual Machine under the Windows (95/98/NT/2000/XP/CE) environment. Apparently usage of said JVM is likely to increase the amount of lawsuits filed by these 2 companies, leading to a bogging down of the DOJ's case queue. the DOJ is currently recommending that you cease using your computer, pick up a pen and paper and use them instead. One Anonymous DOJ spokesman said "We've found that we can reduce our case load by 30% if all users of computers stop and just go ahead and use pens, pencils, paper and the abacus. If it was good enough for Confucius, it's good enough for America!"

Curiously, no comment was issued by Larry Ellison, Chief Entertainment Officer, Oracle Corporation.

Not as bad as it sounds

[karlm]

Don't run for the hills quite yet, (unless you're using MSPassport or some other system that gives up all the goods with a cookie compromise).

This does not affect your filesystem integrity or directly affect the securty of the localhost. It allows an applet to haijack your HTTP Proxy connection (if you have one) and make arbitrary netweork connections if you already have a proxy set up.

As far aas I can tell:

• vulnerable assets
• CPU cycles
• Bandwidth
• ??Cookies??
• ?? non-certificate-based SSL connections ??

They can always steal CPU cycles if you allow them to run applets. They can use this to create a distributed mirrr if their Evil Content (TM) or do a DDoS. If this allows them to fool the browser into connecting to the wrong site, then SSL connections without VeriSign or other pre-downloaded certificates will be vulnerable, as will all of your cookies.

DDoS and SSL connection spoofing are the only tings likely to be large-scale problems if they are even possible at all with this exploit.

Speaking of cookies, don't give Passport your credit card number. I took Rivest's network security class at MIT last term. One group's final project was analyzing several cookie-based authentication systems. It turns out that MS lies about their implementation. The design calls for site-specific cookies, similar to broken kerberos tickets. It turns out that at least at that time, passport was issuing identical cookies for different sites. This means if you buy a $2 pair of socks from PassportClothes.com and someone steals your cookies for that site, they can authnticate themselves to PassportComputers.com and order computers. Sure they may only ship to your address, but the ocial engineering to change the shipping adress while the package is in transit isn't too tough. They could also but themselves a lifetime membership to PassportEBookOfTheMinute.com, all becuase you bought a pair of socks. If MS stuck to their design, the blackhots could only pretend to be you at PassportClothes.com and would be limited to buying casmir sweaters and leather jackets. Of course, MS could have further entrenched I.E. by implementing something sniff proof that used kerberos ticets or piblic key signatures (short durration Verisign-like certs), but they chose to use cookies in order to make adoption easier. Adoption wouldn't be any harder if they ued short-durration MS-signed certificates for mutually authenticated SLL connections. Oh well. It's not like we expected them to get it right until their fifth try anyway.

Viruses for Java?

[gangien]

isn't this one of the things that JAVA is supposed to prevent? I guess nobody's perfect. Buti wonder how many exploits will be made of this.

The Microsoft VM

[spike2131]

According to Microsoft's bugtraq report, its not the Java Virtual Machine that has the problem, its the "Microsoft Virtual Machine"... I thought that was cute, kinda like claiming the ".html" extention maps to a "Microsoft HTML Document", as I've seen under the Windows defaults.

This seems to be the direct result of IE forsaking proper applet support for that crappy Active X-plugin-thing we now have to put up with.

Um, hello people?

[Muggins the Mad]

From the security advisory:

Affected Releases:

Windows Production Releases.
Solaris Production Releases.
Linux Production Releases.

It's not specific to Windows.

Maybe the editors really don't read these things.

- MugginsM

Re:Um, hello people?

[AnalogBoy]

1: Windows Bad.
2: Solaris Bad. Its a real UNIX. It's used in production environments. Its the most popular unix around. Worst of all: PEOPLE GET PAID TO ADMINISTER IT! (then get laid off.)

3: Linux Good! Its better than a real UNIX! It runs SLASHDOT!

[Disclaimer: I have nothing against Linux. It's its fan club i dislike.]

Original Vulnerability Report

[Carl]

See the following page for the original vulnerability report by Harmen van der Wal (as acknowledged by Sun). He even tested the Free Java implementations GNU Classpath and Kaffe.

http://www.xs4all.nl/~harmwal/issue/wal-01.txt [xs4all.nl]

original report

[f00zbll]

courtesy of /. poster you can see the original alert. If you're too lazy, here is the meat of it:

Problem
An applet could do irregular, unchecked HTTP requests.

Consequence
Network access restrictions that apply, can be bypassed. Only systems that have a HTTP proxy configured can be vulnerable.
One particular nasty exploit is where a remote server, aided by a hostile applet, hijacks a browsers persistent HTTP connection to its configured HTTP proxy.

As far as exploits, it's not the worse or benign. This probably affects corporate networks that use HTTP proxy servers which aren't properly secured. People who don't use proxy servers don't have to worry about it.

Another?

[pmz]

Why is the article title "Another Java Security Hole in Windows"? The title seems to be assuming that there are many, as if really saying, "Oh no! Another Java Security Hole in Windows? What will I do?!?!" Rather, there have been suprisingly few security holes in Java considering the inherent complexity of the JVM and the Java APIs. There are other pieces of popular software that we need to be much more concerned about.

Re:Windows doesn't do Java.

[Turing Machine]

Sure thing. Why don't you count up the number of major security holes in Microsoft products and compare them to the number of major security holes in Java and report back to us.

-TM, unamused that his servers are STILL being probed by Code Red/NIMDA variants.