Karsten Sohr at the University of Marburg in Germany recently uncovered a serious security flaw in several current versions of the Java Virtual Machine, including Sun’s JDK 1.1 and Java 2 (a.k.a. JDK 1.2), and Netscape’s Navigator 4.x.
The bug allows an “attacker” to create a Web page which enables the attacker to seize control of a visitor’s machine and do practically anything they want, including reading and deleting files, or snooping through any data and activities on the visitor’s machine.
The flaw occurs in the “byte code verifier” component of the JVM. Specific circumstances cause the verifier to fail to check all of the code that is loaded into the JVM. By exploiting that flaw, the attacker is able to execute code which has not been verified.
The researchers have verified that the flaw does exist and that it is serious. Code which allows the attack was been developed in the lab to exploit the flaw, and Sun and Netscape have been notified and are said to be working on a solution.
Researchers found that Microsoft Visual J++ 6.0 was not affected by the flaw, however, the following JVMs were affected:
- JDK 1.1.5 (Solaris)
- JDK 1.2beta4 (Solaris)
- JDK 1.1.6 (Solaris)
- JDK 1.1.7 (FreeBSD)
- JDK 1.2 (NT)
- JDK 1.1.6 (NT)
- Symantec Visual Cafe Version 3
- Netscape 4.5 (FreeBSD)
- Netscape 4.5 (NT)
- Netscape 4.05 (NT)
- Netscape 4.02 (Solaris)
- Netscape 4.07 (Linux)
For additional information about the security flaw, contact Dr. Gary McGraw from Reliable Software Technologies, or Prof. Edward W. Felten of the Secure Internet Programming Lab, Dept. of Computer Science,
Princeton University.