From: stevenw@best.com (Steven Weller)
Date: Fri, 7 Jun 1996 23:16:06 +0800
To: cypherpunks@toad.com
Subject: RISKS: YAJSH
Message-ID: <v01540b01addd3ef40288@[206.86.1.35]>
MIME-Version: 1.0
Content-Type: text/plain


Reposted from RISKS:   Yet Another Java Security Hole:

------------------------------

Date: Sun, 2 Jun 1996 07:46:20 +0000 (BST)
From: David Hopwood <david.hopwood@lady-margaret-hall.oxford.ac.uk>
Subject: Another Java attack

There is another serious security bug in the class loading code for all
currently available Java browsers:

    Netscape up to versions 2.02 and 3.0beta4 (except Windows 3.x)
    Oracle PowerBrowser for Win32
    HotJava 1.0beta
    'appletviewer' from the Java Development Kit up to version 1.0.2

Sun, Netscape, and Oracle have been sent details of the problem (which is
partly related to the ClassLoader attack found by Drew Dean, et al. in
March).  The attack works by exploiting a design flaw in the mechanism that
separates JVM classes into different namespaces.

Using this bug, an attacker can bypass all of Java's security restrictions.
This includes reading and writing files, and executing native code on the
client with the same permissions as the user of the browser.

The only way to avoid this problem at the moment is to disable Java. For
more details see
    http://ferret.lmh.ox.ac.uk/~david/java/bugs/

Technical details will be posted when Sun, Netscape, and Oracle release
patches.

David Hopwood  david.hopwood@lmh.ox.ac.uk  http://ferret.lmh.ox.ac.uk/~david/

------------------------------

Date: Thu, 6 Jun 1996 14:15:46 -0700
From: mrm@doppio.Eng.Sun.COM (Marianne Mueller)
Subject: Another Java attack

David Hopwood, a Java researcher in the UK, has uncovered a new security bug
in Java [RISKS-18.18].  In simple terms, he has been able to manipulate the
way objects are assigned and the way they collaborate, in order to undermine
the applet security manager.

Hopwood contacted JavaSoft directly re: the bug, and we have had a team
working on a fix for the past 72 hours.  In addition, we are applying
Hopwood's model to conduct a security review, to determine if there are
other bugs that may apply.

We are currently thoroughly testing the fix, and plan to release a patch as
soon as possible.  As we complete more testing of the fix, a more detailed
description of the bug and the fix will be added to the JavaSoft security
FAQ at http://java.sun.com/sfaq/.

JavaSoft is grateful for the internet security community's active interest
in reviewing our code and we welcome feedback that makes Java better
technology.

------------------------------

-------------------------------------------------------------------------
Steven Weller                      |  Technology (n):
                                   |
                                   |     A substitute for adulthood.
stevenw@best.com                   |     Popular with middle-aged men.