Slashdot Mirror
Another Java Security Hole in Windows
tanveer1979 writes: "An article in The Times of India reports that Sun and Miscrosoft have released a joint bulletin about a security hole in the JVM code."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Hold on captain America, if you read the article it's in the Microsoft JVM.
Second, it is only a vulnerability if the connection is to an applet through a proxy, so really its a very minor problem, although it may be a large hole the conditions for it's use are limited.
Thanks,
Travis
forkspoon@hotmail.com
From the security advisory:
Affected Releases:
Windows Production Releases.
Solaris Production Releases.
Linux Production Releases.
It's not specific to Windows.
Maybe the editors really don't read these things.
- MugginsM
http://www.xs4all.nl/~harmwal/issue/wal-01.txt
Problem
An applet could do irregular, unchecked HTTP requests.
Consequence
Network access restrictions that apply, can be bypassed. Only systems that have a HTTP proxy configured can be vulnerable.
One particular nasty exploit is where a remote server, aided by a hostile applet, hijacks a browsers persistent HTTP connection to its configured HTTP proxy.
As far as exploits, it's not the worse or benign. This probably affects corporate networks that use HTTP proxy servers which aren't properly secured. People who don't use proxy servers don't have to worry about it.
This does not affect your filesystem integrity or directly affect the securty of the localhost. It allows an applet to haijack your HTTP Proxy connection (if you have one) and make arbitrary netweork connections if you already have a proxy set up.
As far aas I can tell:
They can always steal CPU cycles if you allow them to run applets. They can use this to create a distributed mirrr if their Evil Content (TM) or do a DDoS. If this allows them to fool the browser into connecting to the wrong site, then SSL connections without VeriSign or other pre-downloaded certificates will be vulnerable, as will all of your cookies.
DDoS and SSL connection spoofing are the only tings likely to be large-scale problems if they are even possible at all with this exploit.
Speaking of cookies, don't give Passport your credit card number. I took Rivest's network security class at MIT last term. One group's final project was analyzing several cookie-based authentication systems. It turns out that MS lies about their implementation. The design calls for site-specific cookies, similar to broken kerberos tickets. It turns out that at least at that time, passport was issuing identical cookies for different sites. This means if you buy a $2 pair of socks from PassportClothes.com and someone steals your cookies for that site, they can authnticate themselves to PassportComputers.com and order computers. Sure they may only ship to your address, but the ocial engineering to change the shipping adress while the package is in transit isn't too tough. They could also but themselves a lifetime membership to PassportEBookOfTheMinute.com, all becuase you bought a pair of socks. If MS stuck to their design, the blackhots could only pretend to be you at PassportClothes.com and would be limited to buying casmir sweaters and leather jackets. Of course, MS could have further entrenched I.E. by implementing something sniff proof that used kerberos ticets or piblic key signatures (short durration Verisign-like certs), but they chose to use cookies in order to make adoption easier. Adoption wouldn't be any harder if they ued short-durration MS-signed certificates for mutually authenticated SLL connections. Oh well. It's not like we expected them to get it right until their fifth try anyway.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.