Java Virus Jumps Out of Sandbox

UPDATED: Security researchers are calling attention to what they called a “fairly significant” vulnerability in Sun Microsystems’ Java virtual machine that gives crackers access to a user’s files.

According to iDefense, the vulnerability targets the internal packages within Sun’s JVM on certain versions of Java 2, Standard Edition (J2SE) 1.4.2 running on the Unix and Windows platform with Internet Explorer (IE), Mozilla and Firefox. The JVM allows Java code to run on any platform, regardless of the operating system.

Sun did not comment specifically on the vulnerability, but issued a statement.

“First, we would point out that there have been no reported attacks that exploit this vulnerability,” Sun said in its announcement. “Secondly, we would note that as of 3 pm ET this afternoon, the latest version of the J2SE JRE will also be available on the site.”

With the JVM breached, the attacker has access to the user’s network and gives them privileges to access, download, upload or execute files within the user’s PC or workstation.

Officials at the security outfit confirmed its existence on J2SE 1.4.2_01 and J2SE 1.4.2_04 and suspect it resides in other builds of the Java technology. Sun was notified of the exploit June 29 and issued an update to the affected software with build 6, published on the Sun Web site Oct. 11, according to officials at the software company.

According to Michael Sutton, iDefense director, what makes this
vulnerability stand out is Java’s otherwise secure method of preventing Java applets from accessing local data without permission, contained in what’s called the sandbox. For a Javascript to access these private JVM packages, a user would normally have to sign an online certificate saying they trust
the information coming from the issuer before it could execute.

“It’s a flaw in the way Javascript interacts with the Java applets, the way it calls them,” he said. “Normally, you should not be able to access anything outside the sandbox and this vulnerability allows you to do so.
The exploit itself is pretty trivial, it’s not very detailed, it’s just a flaw in the implementation.”

While iDefense experts say the target user must be running a browser on top of the JVM for the exploit to happen, it’s possible to create a cross-platform, cross-browser exploit that would give the attacker the same privileges as the victim.

Users can download the latest version of the J2SE Java Runtime Environment (JRE) 1.4.2 here. A complete list of bugfixes in build 6 can be found here.

A workaround to the vulnerability is to either disable Java or Javascript, or use a third-party vendor’s virtual machine (VM), like the Microsoft VM.

News Around the Web