[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) Fwd: New Hole in Java 2

------- Forwarded Message Follows -------
Date:          Mon, 5 Apr 1999 12:00:03 -0400
To:            cypherpunks@cyberpass.net, cryptography@c2.net, coderpunks@shipwright.com,
From:          Robert Hettinga <rah@shipwright.com>
Subject:       Fwd: New Hole in Java 2

--- begin forwarded text

Date: Mon, 5 Apr 1999 16:46:17 +0100
To: usual@espace.net
From: Fearghas McKay <fm@espace.net>
Subject: Fwd: New Hole in Java 2
Reply-To: "Usual People List" <usual@espace.net>
Sender: <usual@espace.net>
List-Subscribe: <mailto:requests@espace.net?subject=subscribe%20usual>

--- begin forwarded text

Date: Mon, 5 Apr 1999 09:44:29 -0400 (EDT)
To: fm@union.co.uk
Subject: New Hole in Java 2
From: gem@rstcorp.com (Dr. Gary McGraw)
Reply-To: gem@rstcorp.com

Dear Fearghas McKay,

Karsten Sohr at the University of Marburg in Germany (email
sohr@mathematik.uni-marburg.de) has discovered a very serious security
flaw in several current versions of the Java Virtual Machine,
including Sun's JDK 1.1 and Java 2 (a.k.a. JDK 1.2), and Netscape's
Navigator 4.x.  (Microsoft's latest JVM is not vulnerable to this
attack.)  The flaw allows an attacker to create a booby-trapped Web
page, so that when a victim views the page, the attacker seizes
control of the victim's machine and can do whatever he wants,
including reading and deleting files, and snooping on any data and
activities on the victim's machine.

The flaw is in the "byte code verifier" component of the JVM.  Under
some circumstances the verifier fails to check all of the code that is
loaded into the JVM.  Exploiting the flaw allows the attacker to run
code that has not been verified; this code can set up a type confusion
attack (see our book "Securing Java" for details
http://www.securingjava.com) which leads to a full-blown security

We have verified that the flaw exists and is serious.  An attack
applet has been developed in the lab to exploit the flaw.  Sun and
Netscape have been notified about the flaw and they are working on a

Thanks for your interest in Java Security,

Dr. Gary McGraw                      Prof. Edward W. Felten
Reliable Software Technologies       Secure Internet Programming Lab
gem@rstcorp.com                     Dept. of Computer Science
                                     Princeton University
http://www.securingjava.com          felten@cs.princeton.edu

--- end forwarded text

--- end forwarded text

Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/> 44
Farquhar Street, Boston, MA 02131 USA "... however it may deserve
respect for its usefulness and antiquity, [predicting the end of the
world] has not been found agreeable to experience." -- Edward Gibbon,
'Decline and Fall of the Roman Empire'