From alanc@godzilla.EECS.Berkeley.EDU Tue Jun 4 13:26:38 1996 Received: from godzilla.EECS.Berkeley.EDU (alanc@godzilla-134.EECS.Berkeley.EDU [128.32.134.5]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id NAA11455 for ; Tue, 4 Jun 1996 13:26:09 +1000 Received: (from alanc@localhost) by godzilla.EECS.Berkeley.EDU (8.7.5/LADLE-1.01) id UAA19765; Mon, 3 Jun 1996 20:25:40 -0700 Date: Mon, 3 Jun 1996 20:25:40 -0700 From: Alan Coopersmith Message-Id: <199606040325.UAA19765@godzilla.EECS.Berkeley.EDU> To: best-of-security@suburbia.net Subject: Yet Another Java security bug Newsgroups: comp.lang.java,comp.security.misc,comp.security.unix In-Reply-To: <4orf1q$t6f@news.ox.ac.uk> Organization: Univ. of California, Berkeley ------- start of forwarded message ------- Path: agate!howland.reston.ans.net!vixen.cso.uiuc.edu!newsfeed.internetmci.com!hookup!usenet.eel.ufl.edu!bofh.dot!arclight.uoregon.edu!dispatch.news.demon.net!demon!sunsite.doc.ic.ac.uk!lyra.csx.cam.ac.uk!news.ox.ac.uk!sable.ox.ac.uk!lady0065 From: lady0065@sable.ox.ac.uk (David Hopwood) Newsgroups: comp.lang.java,comp.security.misc,comp.security.unix Subject: Another Java security bug Date: 2 Jun 1996 07:15:06 GMT Organization: Oxford University, England Lines: 30 Sender: david.hopwood@lmh.ox.ac.uk Message-ID: <4orf1q$t6f@news.ox.ac.uk> NNTP-Posting-Host: sable.ox.ac.uk Xref: agate comp.lang.java:55218 comp.security.misc:30533 comp.security.unix:29893 There is another serious security bug in the class loading code for all currently available Java browsers: Netscape up to and including versions 2.02 and 3.0beta4 (except for Windows 3.x) Oracle PowerBrowser for Win32 HotJava 1.0beta 'appletviewer' from the Java Development Kit, up to and including version 1.0.2 Sun, Netscape, and Oracle have been sent details of the problem (which is partly related to the ClassLoader attack found by Drew Dean et al in March). The attack works by exploiting a design flaw in the mechanism that separates JVM classes into different namespaces. Using this bug, an attacker can bypass all of Java's security restrictions. This includes executing native code on the client, with the same permissions as the user of the browser. No preconditions are necessary other than viewing the attacker's web page, and the process can be made completely invisible to the victim. The only way to avoid this problem at the moment is to disable Java. For more information see http://ferret.lmh.ox.ac.uk/~david/java/bugs/ Further technical details will be posted when Sun, Netscape, and Oracle release patches. David Hopwood david.hopwood@lmh.ox.ac.uk http://ferret.lmh.ox.ac.uk/~david/ ------- end of forwarded message ------- -- ________________________________________________________________________ Alan Coopersmith alanc@godzilla.EECS.Berkeley.EDU University of California, Berkeley or: alanc@CSUA.Berkeley.EDU