The Java security sandbox has sprung another leak. A researcher in Denmark has discovered a new flaw in the Java Virtual Machine from Microsoft Corp. which could enable a malicious programmer to take control of the victim’s computer.
Karsten Sohr of the University of Marburg has found a way to circumvent Microsoft’s (MSFT) bytecode verifier, the mechanism in Java implementations that checks whether a piece of code is obeying all the rules of Java. A bug in Microsoft’s verifier allows a programmer to craft a specific bytecode sequence that violate’s Java’s rules without detection, according to Edward Felten, director of the Secure Internet Programming Lab at Princeton University.
“Now, the malicious programmer has the ability, within some constraints, to break the rules of Java,” said Felten, who worked with Sohr and SIP member Dirk Balfanz to write a demonstration applet that exploits the flaw and deletes a file on the victim’s computer.
Felten said it’s also possible to code a Java applet that, when embedded in a Web page or an HTML email message, could snoop on victim’s computer use, as well as read and modify files.
The researchers said the vulnerability appears to be confined to Microsoft’s Internet Explorer browser. Since Microsoft’s Outlook email program uses the IE browser control to display mail messages, it too is vulnerable to applets embedded in email messages. Qualcomm’s Eudora email program can also be configured to use IE to display HTML-formatted email, making it potentially vulnerable as well. Testing by Reliable Software Technologies has further revealed that Netscape Navigator version 4 browsers on all platforms are not vulnerable, nor is the Java virtual machine from Sun Microsystems Inc. (SUNW)
Microsoft representatives were not immediately available for comment, but Felten says the company has been notified of the bug and is working to address it.
Despite the discovery of this new security flaw, Java may continue to be less attractive to malicious hackers than its mobile-code cousin, Active X. While Java takes a technology-based approach to security through the bytecode verifier, Active X instead uses a more human-centered strategy, prompting the user to agree whether to run a particular Active X program based on information about its originator. To date, according to Felten, malicious programmers have leaned more toward “human engineering” attacks that fool users into downloading and running their Active X code.
“The real dangerous exploits we’ve seen rely on tricking people, and that has proven easier to do than defeating a technology like Java. Not that it requires an extremely high level of technical skill to build this sort of exploit, but someone who is interested in causing trouble may just take the path of least resistance and attack something else.”