Developer

Flaw in the Sun Java Plugin is elusive and very dangerous

Sun has disclosed information on a serious vulnerability in its Java Plugin software, which affects multiple browsers and operating systems.

A recently-discovered vulnerability in the Sun Java Plugin is a threat to many Web browsers such as Mozilla, Firefox, and Internet Explorer, and it also affects multiple operating systems.

Details

Of this serious flaw with the Java Plugin, Sun says, "A vulnerability in the Java Plugin may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet."

This threat is platform-independent and can affect any system with the bad version of Java installed.

Sun directs IT professionals to see the appropriate Mitre CVE for further information, saying that the issue is described in CAN-2004-1029. Of course, CVE notes normally provide almost no information so even the Sun page is more helpful, but read on to see how difficult that can be to locate.

To see Sun-acknowledged vulnerabilities in Java after November, 2002, Sun advises going to the Sun Alert Notifications page. Unfortunately, this is nothing but a search link and clicking on any of the obvious "patches" or "Security Information" links along the left side of the page doesn't give you any information about current exploits.

The search engine isn't much help either. For example, if you look up "SDK," the last vulnerability listed is from May of 2003. A "JVM" search locates problems announced in July and September of this year but there is no mention of the current threat (and a search for "Java" provides similar results).

The specific problem in this latest Java threat is actually related to the Java sandbox, which was created to provide a safe place to execute Java code. However, even if you already know some details of the threat and search for "Java sandbox," you won't find any reports later than a year old.

Only if you know to click on the "Browse documents" link (and then select Sun Alert Notifications) will you actually find relevant information about the most recent threats.

The new Java Plugin vulnerability in JRE and SDK is listed in document 57591, dated November 22, 2004.


Author's note

Disclosure of this threat was widely disseminated through various news services in the last few days. By the time you read this, however, the Sun links may be more prominently displayed on the Sun site.


Applicability

This affects the Java Software Development Kit and Java Runtime Environment on Solaris, Windows, and Linux. "JDK and JRE 5.0" are not affected according to Sun, but "SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and 1.4.0 releases, and 1.3.1_12 and earlier" are vulnerable.

Risk level – Severe

This threat can allow attackers to completely bypass Java security settings. Even more serious, I suspect that the vast majority of users and even security administrators will remain completely ignorant of this potential threat or the need to switch VMs or update the Java code on their systems, so this threat could be around for years to come on a lot of machines, and the longer it exists the more serious it becomes.

Fix – Upgrade or disable Java

Sun reports that there is "no fix" for this threat and "no workaround," and you need to upgrade to newer versions to fix the problem. SDK and JRE 1.4.2_06 and later and SDK and JRE 1.3.1_13 and later are free of the problem according to Sun. Downloads are available here.

Although the Sun has nothing to say on the subject, others have pointed out another obvious solution: disabling Java in your browser will eliminate the threat completely.

iDEFENSE, which initially notified Sun of the vulnerability, has several workaround suggestions, including disabling either Java or JavaScript (the exploit depends on a transfer of data between the two). You can also use non-Sun JVMs, such as the Microsoft VM, which isn't vulnerable to this threat.


Java security

If you thought that Java has always been relatively secure, I suggest you check out some of the announcements at the Princeton University Department of Computer Science site. Multiple flaws have been discovered in both the Java Virtual Machine (Java Run-time Environment) and various versions of the Software Developer's Kit. For an independent look at Java security, Princeton's Secure Internet Programming (SIP) Team has an old FAQ posted online, but for current risk assessment and security tips you probably want to check out Sun's own Java Applet Security FAQ. You can also check out Sun's "Chronology of security-related bugs and issues," but you won't find any recent information there.


Final word

Isn't it interesting that while vendors are always critical of security firms that release vulnerability information, it turns out to almost always be easier to find details about critical threats from those sites rather than the ones operated by vendors. Do any vendors put a link on their main opening Web page to provide users and administrators quick links to current threats? I only ask because I'm curious and don't know of any that do, and I suspect that many IT pros are frustrated when they hear rumors of a new vulnerability and find that they have to be an expert online researcher to get solid information about the flaw.

In this case, iDEFENSE sent the initial vendor notification to Sun on June 29, 2004, and didn't make the public disclosure until November 22, 2004, so its actions were unquestionably highly ethical and Sun credits them with the discovery. Still, it somehow seems a bit strange to find more details and analysis of this threat on the iDEFENSE vulnerability page than on Sun's security site.

One of the reasons why I am coming down so hard on Sun over this is because Scott McNealy, Sun's CEO, is always poking Microsoft with a stick at conferences and talking about how much more secure Java is than Microsoft's alternative.


Also watch for …

  • OS News has reported that Microsoft will drop plans to provide Service Pack 5 for Windows 2000, opting instead for a massive Security Bulletin update.
  • A hacker using the nom de guerre "Cyberflash" has published an exploit that lets remote attackers bypass warning messages in XP SP2's release of IE 6.0. Find details and a message from the hacker community at SecurityTracker.com.
  • Related to the main story this week, the Java Sandbox in Opera version 7.54 (and perhaps earlier versions) is confirmed to contain the vulnerability that allows attackers to create a Java applet that would let them gain access to information on the infected system, as well as cause the Opera browser to crash. This has been confirmed by the vendor and a patch is available, which is good because an exploit is already circulating. According to the report on SecurityTracker.com, the affected Opera version can be found on virtually any common operating system including Linux, UNIX, and Windows versions.

Editor's Picks