NASIRC BULLETIN B-96-24 June 10, 1996 JAVA Class Loader Hole Recently Discovered =========================================================== NASA Automated Systems Incident Response Capability __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/\ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ Serving NASA and the International Aerospace Communities =========================================================== This bulletin reports a recently announced security vulner- ability. It may contain a workaround or software patch. Bulletins should be considered urgent as vulnera- bility information is likely to be widely known by the time a patch is issued or other solutions are developed. =========================================================== NASIRC has recently received new information about another attack method using the class loader of Java. This attack enables execution of native machine instructions with Java capable browsers. This discovery expands the scope of vulnerable systems initially identified for Netscape Version 2.02 browsers, reported in NASIRC Bulletin B-96-11-C. PROBLEM DESCRIPTION Attacks on the class loader allow running native code in current Java implementations. Running native code allows machine specific instructions to be executed by the delivered applet. This presents a problem since an attack was successful in deleting files. An exploit has been written for Appletviewer and HotJava; versions for Netscape and Oracle PowerBrowser are also possible, although more difficult. SYSTEMS AFFECTED The native code vulnerability applies to currently available Java capable browsers. The following systems are known to be vulnerable to the new attack: * Netscape up to and including Versions 2.02 and 3.0beta4 (except Windows 3.x). * Oracle PowerBrowser for Win32. * HotJava 1.0 beta. * "appletviewer" from Java Development Kit, up to and including Version 1.0.2. RECOMMENDED ACTION NASIRC reiterates its recommendation to use all Internet browsers with all Java and JavaScript features disabled. If the known host is a trusted site, then enabling Java or JavaScript after the initial page is displayed and then using the "reload" option to invoke Java or JavaScript is a safer approach. Before leaving a trusted page, the Java and JavaScript features should again be disabled. Technical Paper about Java Security Drew Dean, Edward Felten, and Dan Wallach, Department of Computer Science, Princeton University, have written a paper, "Java Security: From HotJava to Netscape and Beyond," presented at the IEEE Symposium on Security and Privacy on Oakland, California, on May 6-8, 1996. This paper gives a technical description of the weaknesses that exist in the security methods used to build Java and that can be obtained from the following site. http://www.cs.princeton.edu/sip/pub/secure96.html The conclusion is as follows: "6. Conclusion Java is an interesting new programming language designed to support the safe execution of applets on Web pages. We and others have demonstrated an array of attacks that allow the security of both HotJava and Netscape to be compromised. While many of the specific flaws have been patched, the overall structure of the systems leads us to believe that flaws will continue to be found. The absence of a well-defined, formal security policy prevents the verification of an implementation. We conclude that the Java system in its current form cannot easily be made secure. Significant redesign of the language, the bytecode format, and the runtime system appear to be necessary steps toward building a higher-assurance system. Without a formal basis, statements about a systems security cannot be definitive. The presence of flaws in Java does not imply that competing systems are more secure. We conjecture that if the same level of scrutiny had been applied to competing systems, the results would have been similar. Execution of remotely-loaded code is a relatively new phenomenon, and more work is required to make it safe." -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ACKNOWLEDGMENTS: Fred Blonder of NASIRC for identifying this information, Alan Coopersmith of UC Berkeley for submitting this to best-of-security@suburbia.net, and David Hopwood of Oxford University, England, for maintaining a Web site of Netscape vulnerability information. Drew Dean, Edward Felten, and Dan Wallach, Department of Computer Science, Princeton University, for publishing "Java Security: From HotJava to Netscape and Beyond." BULLETIN AUTHOR: Jordan Gottlieb -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory may be forwarded without restriction. Persons within the NASA community or operating in support of a NASA contract may contact NASIRC with any questions about this advisory. Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853 International: +1-301-441-4398 STU III: 1-301-982-5480 Internet E-Mail: nasirc@nasa.gov 24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 WWW: http://nasirc.nasa.gov/NASIRC_home.html FTP: nasirc.nasa.gov, login "anonymous" Anyone requiring assistance or wishing to report a security incident but not operating in support of NASA may contact the Forum of Incident Response and Security Teams (FIRST), an international organization of incident response teams, to determine the appropriate team. A list of FIRST member organizations and their constituencies may be obtained by sending E-mail to "docserver@first.org" with an empty "subject" line and a message body containing the line "send first-contacts" or via WWW at http://www.first.org/ . -------------------------------------------------------------