recently reported in Sun's Java browser plugin could provide the basis
for one of the first cross-platform exploits. The vulnerability allows a malicious
program to break out of the Java security sandbox and perform any action
that the browser user has permission to do. That could include destructive
filesystem changes, network access, sending email, etc. A user with a
Java enabled browser would only need to visit a website that has been
crafted to exploit this vulnerability and would fall victim to whatever the
malware author intended.
The Java sandbox is intended to restrict Java applets so that they
can only access certain approved packages in the Java
virtual machine, packages that do not access anything outside of the sandbox.
of the approved list and then passing that reference to an applet,
the browser will protect users until they can upgrade.
The vulnerability was discovered by Jouko Pynnonen in April, was fixed
by Sun in October and was announced last week. Java plugin versions
1.4.2_04 and 1.4.2_05 (and presumably earlier versions as well) were
found to be vulnerable on both Linux and Windows. Sun has released
that fixes the problem. For a company that touts the security features
of its Java technology, as Sun does, 5-6 months between discovery and a
fix for a critical security hole seems overly long.
This vulnerability is very different from others we have seen
because it exploits a problem in a technology that is specifically
focused on cross-platform support. The same Java Runtime Environment
(JRE) code base runs on most modern operating systems and underlies the
Java support in most browsers. A significant security breakdown in the
JRE affects the vast majority of Java enabled browsers in the world,
including Firefox, Mozilla, and Internet Explorer. According to this
on the Full Disclosure mailing list, Opera allows access to the restricted
packages in the default security configuration and no exploit is needed
to subvert the sandbox.
There are additional
for Netscape and IE users because applets can request particular versions
of the plugin and, if that version is still installed, the browser will use it.
In some cases, if the version is not installed, the user will be prompted to
download and install it. This could allow a malware author to ensure that
his code is running on a vulnerable JRE.
Due to Sun licensing constraints, free and open source browsers
and operating systems cannot bundle the JRE and cannot do an automatic security
update of the JRE. Proprietary OS and browser vendors are in the same boat
unless they have licensed the JRE from Sun. The end result is that most
users will need to get the updated JRE from Sun directly. As many users are
not particularly diligent about seeking out security upgrades, this could
leave a significant number of systems unpatched and provide an opportunity
for some kind of malware to exploit this hole.
to post comments)