Java/Script Alert: Cross-Platform Browser Vulnerability

Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are vulnerable to remote command execution. This has been tested on Microsoft, and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)

Ex-Squeeze-Me?!

[inertia187]

I'm going to stick my neck out here and say, What.In.The.Hell? Who's the editor on-duty here, an Onion stand in?

First of all, the example made is JavaScript, not Java. Second, the example shows how to bring up a page 23000 seconds after they left the page. Not good, but not new either. So what's the big deal?

Re:Ex-Squeeze-Me?!

[krisp]

The second link to the page with a java applet which loads an off-site image apears to work in Camino (macos x, based on mozilla source tree). Aparently, it is vulnerable.

Re:Ex-Squeeze-Me?!

[krisp]

Followup:

This page opens up a BBC java nav bar, which, according to the java security model, should not be able to. I tested this with MSIE for Mac, and the bar was not loaded. Mozilla Firebird for OSX also loads the applet (im)properly

Re:Ex-Squeeze-Me?!

[inertia187]

Besides this link being part of the original article, I don't see how this is related. If you turn off JavaScript, this applet still attempts to load.

Furthormore, I don't see how this applet violates the java security model. After running a netstat, I did not see a connection to www.hq.af.mil.

Re:Ex-Squeeze-Me?!

[Alsee]

the example made is JavaScript, not Java. Second, the example shows how to bring up a page 23000 seconds after they left the page. Not good, but not new either. So what's the big deal?

He is proving you can climb over one of the walls in the security system. It looks harmless because what he wrote is harmless in itself. The people capable of fixing the problem also know what you can do once you've climbed that wall. There is an entire history of old attacks that are all sealed off by a single security wall. If you can bypass that wall then all the old exploits work again. I think the Javascript/Java confusion is over the fact that BOTH seem to be involved. Java is safe because it runs inside the sandbox walls. The posted code shows there's a way to climb over the sandbox wall. All the old attacks work again.

He said "here's a gun" and mentioned that there's old ammunition lying around. Script kiddies generally know how to use a loaded gun, but they don't know how to dig up ammunition and load that gun. The people who know how to fix the problem just need to see the gun to understand what they need to fix.

-

Obligatory rant

[OmniVector]

Java is NOT THE SAME THING as JavaScript.

Come on slashdot editors, it's not hard to know the difference (this is in reference to the article title).
</rant>

Re:Obligatory rant

[rasafras]

However, it seems to be related to both, hence Java/Script. Read past the title, too.

Re:Obligatory rant

[Kircle]

The article is incorrect. It states:

"New bugs were discovered in Netscape's implementation of Java has been found which allows a remote site to read any file on the client machine and to set up a Java server which anyone can connect to. Brown Orifice HTTPD starts a Java server which allows others to read files on your machine." Fix: Disable Java immediately

Netscape does not have an implemention of Java. It does, however, have an implementation of JavaScript.

Re:Obligatory rant

[rasafras]

Well, it seems I was wrong. Oops. The editors'll probably repost the article in a day or two anyway, maybe they'll fix it then.

Re:Obligatory rant

[SashaM]

It seems the problem is not with Java, but with the browser being fooled to believe it's loading a page from a site other than the one it is actually loading the page from. The browser then passes this wrong information to the Java runtime, which then works as expected - allowing an applet to do things it would not normally be allowed to do.

Re:Obligatory rant

[SashaM]

Netscape did have an implementation of Java, which was used in versions 3.xx and 4.xx. Right on top of the paragraph you quote, it says "circa 2000" - it's just a reminder of an older bug.

Not to say this is an actual Java vulnerability - it's just Javascript fooling the browser into thinking it's download an applet from site A when it's in fact being downloaded from an attacker's site.

"Macintosh may also be vuln."

If you can't be bothered to write out entire words, don't post articles to slashdot.

It's not like you were tight on space there.

Re:"Macintosh may also be vuln."

[antdude]

RTFA. I copied and pasted it.

Re:"Macintosh may also be vuln."

I love the way people on slashdot don't see anything wrong with coping chunks of text without mentioning that they didn't write it. It's even more ammusing when it happens inline with text they did write, so you can't tell which is which.

(Apologies if you did write the origional yourself, but I didn;t get the feeling that is the case.

Re:"Macintosh may also be vuln."

[anthroboy]

Word up. I mean, WU, you Anon. Cow.. Truth be told, though, I'm far less horrified by this needless abbreviation than I am by the crude abbreviation of vulnerable to 'vuln.' Just what could possbily inspire one to think, "You know, 'vulnerable' is more or less redundant by the time you get to that 'erable' part." How vulg. of you. I'd go so far as to say that you must be stup. and laz. to abbrev. that way. -Since., Anthroboy

WTF, over?

[alecto]

WHAT, exactly does the Java security model have to do with JavaScript--an unfortunately named, but totally different, animal?!

Re:WTF, over?

[LostCluster]

Simply put, a JavaScript is being used to call for a Java applet after the user has presumably left the page... the result is a Java applet that is permitted to run outside the usual sandbox, and there's your hole.

Both are flawed...

Re:WTF, over?

[MillionthMonkey]

WHAT, exactly does the Java security model have to do with JavaScript--an unfortunately named, but totally different, animal?!

I'm sure you are aware of the recent marketing fiasco at Microsoft, where the company shot itself in the foot by severly diluting its new .NET trademark. Every marketer in the company wanted in on the .NET thing, and soon all product literature from Microsoft was yapping about .NET this, .NET that. Customers were confused as hell. But the .NET trademark dilution wasn't quite invented at Microsoft. Ironically, like most aspects of .NET, it had a previously existing counterpart in the world of Java.

When JavaScript was originally invented, it was "LiveScript". There was a client version that ran in the browser, and a server version that ran on Netscape servers (and went nowhere). But it was released during the Java applet hype, and marketers at Netscape forced the name change to "JavaScript". Netscape also implemented interfaces between Java and JavaScript so that JavaScript would be more tightly coupled with the crappy JVM that was shipping in Netscape browsers back then. They were actually trying to turn JavaScript into something that would merit the horrible name they gave it.

Specifically, you could invoke Java methods from JavaScript, and vice versa. For example, assuming you had an applet in the document using the standard <APPLET CODE="AppletClassName"></APPLET> syntax, you could (from JavaScript) call methods on the applet straightforwardly:
var javaString = document.AppletClassName.toString();
var javaScriptString = javaString + "";

The javaString variable was a java.lang.String. You first had to turn it into an ordinary JavaScript string by appending "" to it. Java objects that weren't strings kept their type information in the world of JavaScript, and you could presumably call methods on them. Like, you could get a java.util.Vector, add JavaScript strings to it using addElement(), and then (back in Java) iterate through the Vector. Inside the JVM, the JavaScript strings were objects of type javascript.string or something like that. There were entire javascript.* packages containing Java mappings of JavaScript objects. An applet could acquire JavaScript references to the document, browser, etc. and manipulate JavaScript variables. (This was a long time ago during the boom, when people would actually pay you for knowing stupid stuff like this, so I may be getting the details wrong.)

Once the browser war heated up, you simply couldn't use any of this crap since Microsoft left it only half implemented in IE. I think that invocations from JavaScript to Java worked in IE, but not the other way around (there was no way to access JavaScript from Java).

Anyway, the article is vague, my memory of such things is old, and I never really used it more than once or twice. But if there is a hole to speak of, it looks to me like this interface I've described might have something to do with it.

Re:WTF, over?

[MillionthMonkey]

After rereading the securityfocus link (the article itself is nonsensical), it's clear the mechanism I described only has a tangential relationship with this vulnerability.

You start from the hacker's page X. You click on a link that goes to trusted site Y. Browser loads security policy for Y, before the page X has disappeared from the screen. During those few seconds, any clicks on links in X will execute their onClick() handlers with the privileges of trusted site Y. Where does Java come in? Well, it's hard to write an HTTP server and list directories with JavaScript! So you get an applet to do it for you- which can be done by calling an applet method from onClick(). (Or in other ways, like a popup containing the applet. In fact, onExit() would presumably be an excellent place to put this code.) The incorrect security policy (for Y) is propagated to the Java runtime from JavaScript when the method call is made.

The bug is in JavaScript, and the timing of the browser's interaction with it. Java is merely brought in to do the dirty work once the malicious JavaScript code has fooled the browser into giving it the security permissions it needs.

There are many, many more issues than I have discussed. The minimal release is for giving the blackhats time to play.

I suspect the "minimal release" is because he doesn't understand what he's talking about.

Re:WTF, over?

[jilles]

No, it's not running out of the sandbox. The bug is in the javascript which allows the page developer to secretly access a website behind your back. This website happens to also load an applet. Java then applies the usual sandbox restrictions to that website (i.e. you can't go anywhere else, no local file access, etc.).

The applet can access the same information on your PC as normally (i.e. almost nothing). And the applet can communicate with server applications on on the website. The security risk is the same as with any other applet on any other site. The only difference is that the browser makes the choice of loading it instead of you (just like with popups). You think you're visiting server x and you are redirected to server y.

The fix for this bug is to fix the javascript implementation. Not a single line of the java implementation needs to be changed for this. Apparently this has been done in Mozilla already.

Oh darn...

[wmspringer]

Does this mean I have to download a patch for Mozilla tomorrow to fix this? ;-)

Re:Oh darn...

[UnknownQ]

Actually if you downloaded a patch yesterday it would have worked, this has been fixed since in mozilla since 1.3.

No, Alanis...

[ari_j]

That's not ironic. It's unusual, yes, but not ironic.

Re:No, Alanis...

[thebatlab]

Actually, it could be considered ironic. One of the definitions for ironic is: "Poignantly contrary to what was expected or intended" So, what is generally intended in a browser vulnerability is that IE *will* be affected. It wasn't and therefore is ironic.

Re:No, Alanis...

No, what would be ironic is if an entire website full of know-nothing blowhards constantly touted any and all browsers except one because that one "had security vulnerabilities" and then a security vulnerability came along that worked in every browser except the one the jackwits hated. That would be ironic.

Re:No, Alanis...

[thebatlab]

Yes, I meant "expected" but misspoke. And yes it is ironic. Maybe re-read the definition of ironic again after replacing "intended" with "expected" in my comment.

Maybe, maybe not.

[Jade+E.+2]

There was a relevant message from Dan Veditz, of the Mozilla securitygroup, on the full discolsure list just this morning. I'd post the text but the lamesness filter doesn't like it. You can read it here.

IE isn't the only one not vuln

[birdman666]

I believe Safari is also immune to this.

so which is it?

[jeffy124]

Headline says Java, writeup says JavaScript, Hemos update references both. Turning off JavaScript does not affect the Java plugins. Turning off the Java plugin does not turn off JavaScript.

So which is it?

Linux protects me well.

[Reservoir+Penguin]

Thats OK, I couldnt even install the java plugin on linux, because apparently the java plugin was compiled with pre 3.X gcc and mozilla 1.4 itself was compiled with gcc 3+, is there a compatible java plugin for recent mozilla somewhere?

Re:Linux protects me well.

[dpanofsky]

You can get the java sdk & re compiled with either GCC 2.95 or GCC 3.2 from the blackdown mirrors. You should find the closest mirror to you from the blackdown.org website. Here's the path to the GCC 3.2 version of the 1.4.1 sdk which is hosted at ftp.tux.org: /pub/java/JDK-1.4.1/i386/01/j2sdk-1.4.1-01-linux-i 586-gcc3.2.bin

KDE unaffected

[yanestra]

konqueror doesn't show this - whatever you call it.

So...

[Faust7]

Let no hat, black white or grey, wander in on or about the www without fear.

...Red's up in the air, then?

Re:Maybe, maybe not. - The text of the above

meme-boi wrote:
> Synopsis:
> --------
>
> Opera, Mozilla & Netscape with javascript enabled are vulnerable
> to remote command execution. This has been tested on Microsoft,
> and many many Unices. Macintosh may also be vuln.

The exploit example you give is not remote command execution but rather a
violation of the same origin policy. Unless there are additional details you
are withholding this same flaw was reported on Bugtraq April 15

http://www.securityfocus.com/archive/1/318777

and fixed in Mozilla 1.3

http://bugzilla.mozilla.org/show_bug.cgi?id=2011 32

> There are many, many more issues than I have discussed. The minimal
> release is for giving the blackhats time to play.

If instead you'd like to give the whitehats time to fix them details would
be gratefully received by "security" at "mozilla.org"

-Dan Veditz
Mozilla security group member

Re:Ironic?

[archen]

It's ironic because Alanis Morissette managed to single handily confuse people with what occasion they should use the word "oddly".

Timesaver - The most common comments you'll see

[buzzcutbuddha]

The advisory states that Internet Explorer isn't affected by this vulnerability. Before someone else states it, I'll get them out of the way, silly as they may be:

• "This must have been posted by Microsoft as FUD to get people to stay away from superior products! It's all a trick! Don't listen!"
• "What's up Taco? I thought April Fools had passed!"
• "Javascript serves no purpose ever, and why anyone would ever use it is beyond me!"
• "This is why we should all be using IE. I've never had a problem with IE security! Linux [l]users sux0rs!"

Did I miss any?

Re:Timesaver - The most common comments you'll see

[eMartin]

"Did I miss any?"

I'd say so, considering 90% of the posts below are complaining about the fact that Java and Javascript were mentioned in the same article.

Ouch

[Faust7]

if you turn off JavaScript, you turn off the vulnerability.

Man, talk about a one-liner to give the anti-Java folks.

Safari is immune

I just tested with both Safari v74 (1.0b2) and v48 (1.0b), the example hack provided in the link did not work.

Isn't Mozilla more accountable?

[AtariAmarok]

" The user base for these two browsers combined is infinitesimal compared to IE. It thus stands to reason that all of the bugs and vulnerabilities of these browsers lay dormant, "

It would seem to me that the opposite is true. Mozilla goes out of their way to make it easy to report bugs and problems, while with MSIE all there is is a feedback thing buried in the Help menu that is likely a black hole resulting in nothing but spam.

Microsoft has a habit of leaving bugs and problems in place for years, while the Mozilla guys appear to be much more responsive. After all, they killed popups for their browser.

In other words, it seems to me that Mozilla has a much better and much more developed "improve the product and get rid of bugs" system going than Microsoft does for MSIE.

(I'm still waiting for MS to turn on the "bottom of the browser line that shows links, progress, etc" that they removed.)

"You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers"

The Mozilla guys are much more accountable: look at the forums they have for dealing with problems. Also, they have to be accountable or people will choose "No Mo' !". In contrast, Microsoft does not have to be accountable with MSIE: whether or not anyone likes it, they give it away as the default browser on just about all PC's.

This seems bogus.

[pegacat]

At first blush this seems plain wrong.

There's not really enough evidence in the post to go on, but the example exploit is pure nuisence java script, which has nothing to do with java

Reference is made in the text to ancient *java* bugs, but no detail is given as to how they might be related to the current, claimed bug.

If there's more here than meets the eye I'd like to see it, but there doesn't seem to be any meat in this announcement, it seems to be just a historical retrospective and an annoying-but-not-dangerous-or-new snippet of javascript.

Am I missing something here?

RTFA, damnit!

[fm6]

The exploit involves both Java and Javascript. It seems to involve having the user execute a Javascript program, which downloads a non-sandbox Java class file.

Re:RTFA, damnit!

[The+Slashdolt]

I read the article and nowhere is there a spec of java code. It references previous vulnerabilities that had java code. But his vulnerabilites has zero java code. It's pure javascript.
If you look at the exploit, he is setting a function to be called after a page is loaded on another page. This function is a JAVASCRIPT function which is then run in the context of the newly loaded page.
He is comparing a javascript function running outside of the javascript sandbox to a java type sandbox. Like I said, I RTFA, and I UTFA (understand).

a duck

as reported on the full disclosure list, this doesn't let blackhats execute remote commands (or local, depending on your view point). this is "merely" (bad enough I suppose) a violation of the same-origin policy in javascript.

the same-origin policy dictates, that any code running, cannot modify anything, which is loaded from another domain. it may not even read from variables.

more here:
http://lists.netsys.com/pipermail/full-disc losure/ 2003-June/010200.html

both

[Trepidity]

Basically, JavaScript is used to trick the browser into loading an unsandboxed Java applet.

Forgot about IIS & Apache Web Server?

[SilentMajority]

Nice try but your "logic" (lol) fails the obvious test.

IIS has smaller marketshare than Apache Web Server, yet MANY more IIS vulnerabilities have been discovered and MS took a LOT longer to fix/patch IIS than Apache.

Re:IE not vulnerable

[Ogerman]

It's pretty clear that IE's problems are slowly but surely being squashed. When you have a user base as large as IE's, it is inevitable that these problems will be found quickly and exploited and then fixed. We can take this as an indication that the larger the user base of a software product, the faster bugs will be found and eliminated.

It's pretty clear, judging by this and some of your former posts, that you work for Microsoft or at least enjoy spreading their nonsense FUD. Your assumptive argument--that a smaller user base means that OSS has more undiscovered bugs--is entirely illogical. ..Not to mention it flies entirely in the face of the fact that IE has the most piss-poor standards support of any modern browser. (CSS in particular).

Now take Mozilla and Opera as opposing examples. The user base for these two browsers combined is infinitesimal compared to IE. It thus stands to reason that all of the bugs and vulnerabilities of these browsers lay dormant, waiting for someone to come along and exploit them. But without a serious user base hammering away at the product all of these problems lie wide open for any hacker to come along and abuse.

There you go again. You seem to miss the point entirely that having code open for review allows "hackers" to find security holes much faster and easier. So if a problem exists, it gets fixed much sooner than a closed source program which requires a lot more prodding and guesswork to discover the vulnerabilities. And yet IE still has historically had far more security issues than Mozilla.

Just because you don't use Microsoft products doesn't mean that you aren't vulnerable. You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers.

Yet another patently untrue statement. Microsoft products have a far worse history of vulnerabilities than Open Source alternatives. Again your comment about "lack of users" is irrelevant. And your statement that OSS developers lack accountability is entirely baseless.

The M$ dominated world is quickly coming to an end and there's absolutely nothing you can do about it. For your own sake, wake up before you become entirely obsolete.

trainwreck

[anotherone]

Between the awful writing in the article, the broken examples, the Java/Javascript confusion, and the contrarian IE-is-safe-but-mozilla-isn't thing; this may very well be the worst slashdot story ever.

Re:trainwreck

[fm6]

Surely you jest. What about all those "Ask Slashdot: What's a computer" stories? Not to mention Aimee Deep!

Seems like it

[ccevans]

This message seems very strange.

Take, for example, the commentary:
There are many, many more issues than I have discussed. The minimal release is for giving the blackhats time to play.

Furthermore, the language used is like nothing I have ever seen before.

The poster states that this is a Java problem, but then states that any browser with Javascript is vulnerable to remote command execution. He/she then goes on to give an exploit which has nothing to do with either Java or remote command execution.

The first exploit doesn't seem like much of an exploit either. Instead, it seems to that the script opens a popup, and then at some later time, changes its content. What is wrong with that?

As for the other exploits, they don't seem to have anything to do with the first exploit. They seem to be old Java exploits.

At the end, the poster recommends everyone turn off Java. But at the beginning, the poster said that everything with Javascript enabled is vulnerable, and the first exploit has nothing to do with Java.

Overall, I think it is easy to see that this poster was a troll. The general statements that are made, the lack of any specific information, and the mixing of unrelated exploits seem to make this quite obvious.

Re:Seems like it

[pVoid]

Why have you been moderated Insightful, it beats me... but let me tell you one thing: you are no security expert. It shows by the way you said

The first exploit doesn't seem like much of an exploit either. Instead, it seems to that the script opens a popup, and then at some later time, changes its content. What is wrong with that?

Now, young grasshoppah... tell me by just starring at your screen what applications are running on your box. no 'ps' no taskmngr... Unless you are the oracle, a virus is pretty much invisible.

I think you are too caught up watching movies like Swordfish or the like, where viruses actually 'freeze' your computer by drawing frost marks over your my computer icon.

On another note: if you've read any of the other posts on /. today, it seems to be a java vuln. triggered by using some basic javascript.

Yeah, unrelated they are, but in tandem they can be used.

Re:Read _Any_ File?

[ruprechtjones]

> which allows a remote site to read any file on the > client machine

That's why I keep my any file hidden away, accessible only by pressing the any key.

Ouch, again!

[theolein]

Slashdot, you're like a second home to me, but please don't post stories like this any more. It's embarrasing. Try to look at the article, read it and evaluate it for validity before posting it.

For the record, the Java vulnerabilities the decidedly juvenile post is talking about is the bohttpd java vulnerability that existed in netscape 4.7 browsers up to 4.76 I think it was, where the exploit enabled the jvm to turn into a http server for the whole filesystem. This was around 1999 to 2000 I think.

However, this post has nothing whatsoever to do with java. It reads far more as if some teenager has just discovered that one can do some funky stuff with javascript, such as function callbacks, crossframe clowning around and a bit of childish mischief such as opening a miniwindow with a script to track the users movements, as a lot of pornon sites do.

Congratulations, kid, next thing you know, they'll be calling you Mitnik ;)

Re:Ouch, again!

[Sonicated]

Slashdot, you're like a second home to me, but please don't post stories like this any more. It's embarrasing. Try to look at the article, read it and evaluate it for validity before posting it.

Aww, that almost brings a tear to my eye. I'm going to hate to see how the dupe affects you..

:)

You must be joking

[bgarrett]

One of the linked pages provides a list of several vulnerabilities, one of which was announced recently.

If slashdot is going to post stories for subscribers well in advance, can it put some of its filthy lucre toward hustling some subscriptions from computer professionals of long experience, people literate in the English language, and other hard-to-find folks to fact-check BEFORE yet another elementary blunder makes the front page?

Re:IE not vulnerable

[bazmonkey]

lack of accountability of the OSS project developers.

1) Many OSS developers are employed by companies (AOL/Time, RedHat, IBM, etc.) that they must be accountable to, and 2) Unlike proprietary products, when an OSS app does something wrong, people point and go "This is the schmuck that did it." There is a lot of accountability when everyone can see what you code.

And a larger codebase doesn't help much when the vast majority of that codebase does the same exact thing online. You tell me how many old ladies checking their MSN mail and ordering E-greeting cards it would take to find this vulnerability.

I'm not saying everyone using IE is dumb, or that everyone using Linux is smart. What I am saying is that thousands of users just like me wouldn't have made this problem any more visible. I would never have stumbled upon this. Moreover, I can guarantee you that many more Linux/Mozilla users are tech-savvy and fill out their bug reports compared to Windows users. Besides, it "stands to reason" that Mozilla could fix bugs faster. IE users trust a small few people to their security; if they don't fix it no one will. In the OSS world, it only takes a couple frustrated coders tired of a vulnerability to have it fixed.

We're a community, Windows users are consumers.

Re:MODERATE!

[akpcep]

He's caught a lot of fish and is about to apply some perfume?

Turing-Complete is Evil

[Tablizer]

The problem is having a Turing-complete language that is sent to and runs on the client. We need acceptance of protocols that work well without needing TC downloadable scripting or applets.

Being TC opens up hacking risks considerably over non-TC protocols.

I have not seen much research on non-TC protocols. I have a pet GUI form protocol called SCGUI that is meant to work effectively non-TC, but there is not much for HTML-based action right now.