|
|
|
|
| |
| A new bug in the Java Security model allows malicious Java applets to retrieve images and other Java class files from other web servers, although the security model should intercept and stop this from happening. The bug apparently affects the most browser versions of Netscape and Explorer including the current releases. |
| |
Credit:
For additional information, and for a very nice demonstration of the exploit (and also to see if your browser is affected) see Ben Mesander's page: http://neurosis.hungry.com/~ben/msie_bug.
For the source of that Java applet go to: http://neurosis.hungry.com/~ben/msie_bug/example0.java.
Microsoft is working on a patch for MSIE: http://www.microsoft.com/windows/ie/security
|
| |
The Java security model (usually referred to as "the sandbox") does not allow applets to initiate network connections to any host but the host that the applet came from. This is due to the assumption that you can trust the server you're connecting to, but naturally you do not want your machine to start connections to other servers around the Internet.
The way this restriction is enforced is simple: Every network connection goes through Java's "Security Manager". This checks to make sure the applet stays in its "sandbox", and if an attempt is made to break those rules an exception is thrown.
..But this is only good in theory. A practical way was discovered by Ben Mesander to overcome this restriction. When a web server receives a request, it is possible to redirect this request to another URL. The Java security manager should discover this and check the new URL. However, due to faulty implementation in Netscape and Explorer, this check is not done correctly when using the getImage() method to load images, and (much more dangerously) when dynamically loading Java classes using ClassLoader.
Explorer was found to be vulnerable to this attack (versions 3.0x, 4.x). Netscape browsers are vulnerable if a proxy is configured.
|
|
|
|
|
|
|
|
|
|
