Slashdot Mirror
Cross-Platform Java Sandbox Exploit
DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.
...Or better, since Java runs in a (relatively) secure sandbox. It's worth noting, from the article, that there hasn't to date been a single Java virus. This is bad, but it has to get a lot worse before comparison with ActiveX is warranted.
This is where the serious fun begins.
This bug affected IE and Firefox, but not the Opera Browser.
Opera Watch - An Opera browser blog.
There are already proof of concept viri that work on both linux and windows.1 a.htm/ l in// /. article if i remember right, but i can't seem to get the right search terms to find it.
http://antivirus.about.com/library/weekly/aa03280
http://www.itworld.com/AppDev/1312/IWD010328hnvir
looks like this has been happening since 2001 according to the itworld article (look at the date in the upper left hand corner.)
the only thing that has changed is the vector of infection. There was also a
Stop signs are only Suggestions
From the horses mouth right here. The issue is actually with the plug-in, not Java itself. In brief, you can load a Java class in an applet via JavaScript using getClass().forName() and use that reference to make calls outside the confines of the sandbox.
www.java.com is only offering j2re-1.4.2_05, a vulnerable version.
Version 1.5.0 is available from java.sun.com.
WAKE UP SUN!
I tested my PC, which the sample code worked on, but it didn't seem to work on my mac which runs OSX 10.3.6 in safari or firefox. Safari comes back with a "Class undefined" and firefox just seems to ignore the javascript alert at the end.
Anyone else try this on the mac and have similar results?
Only on slashdot would a comment that this exploit is "Not that critical" receive a "Score:4, Insightful" rating.
Last night, while sitting at my machine, I noticed a Java icon appear in my taskbar. "That's wierd," I thought, "I'm not doing anything or hitting any pages that should need the JRE." Since I don't use the JRE much anymore (I installed it while testing a java-based web server) I went to "Add/Remove Programs" and uninstalled j2re-1.4.2_05.
Too late. This morning I browsed to Slashdot and saw the parent article telling me why the Java icon had popped up.
Whatever payload the thing delivered appears to have punched a hole in Norton AntiVirus (the Norton Firewall console is reporting that Norton AntiVirus requires "Urgent Attention" but the annunciator on the AntiVirus tab appears to have been disabled in an effort to hide whatever was done to the AntiVirus). It may also have installed the bat/mumu-a worm (one spyware scanner is reporting an infection by the worm, but Symmantec's bat/mumu-a removal tool reports the machine is clean).
Once a drive has been compromised by something more complicated than a simple virus, there's no way you can ever trust the machine again because there is no way to know what sort of rootkit the exploit delivered.
I've already disconnected the machine from my network and picked up a new hard drive. The old hard drives will go into an external drive housing that I'll only connect to the machine (a) after I have antivirus software reinstalled and (b) only if I absolutely have to pull data from the drive.
"Not that critical" hah! This is by far the most serious attack I've ever been hit with, and I downloaded j2re-1.4.2_05 at most two months ago (elsewhere in the comments someone is reporting that j2re-1.4.2_05 is still available for download from sun.com, I can't confirm that but this is hardly an antiquated version).
There goes my day...
-Don