Developer

Serious Java hole affects multiple operating systems

Sun Microsystems has released a critical Java Virtual Machine update for multiple operating systems, including Linux and Windows. Particularly disturbing is the fact that it's known about the vulnerability for almost a year. Here is the full report.


Several versions of the Java Virtual Machine that have been in use for years contain a serious vulnerability. Although the problem was only recently disclosed, Sun has apparently known for 11 months that the Java RunTime Environment code contains a flaw that could allow an attacker to capture sensitive data by redirecting Web traffic.

Threat level—Critical
Microsoft reports that this problem is a threat to anyone who connects to the Internet through a proxy server. A remote server could use a hostile Java applet to hijack the user’s HTTP connection to the proxy. It’s more than a bit ironic that proxy servers are normally used to improve security but the bug could allow attackers to redirect proxy Web traffic to a new destination.

Applicability—Any HTTP proxy server
Microsoft was the first to release a patch for this problem (MS02-013), but the threat isn’t confined to Internet Explorer users. This vulnerability also affects Netscape Navigator and Sun platforms. The Sun security bulletin HttpURLConnection is #00216. Mitre identifies this vulnerability in report CAN-2002-0058. Again, any system with an HTTP proxy server could be at risk.

According to Sun Microsystems, Netscape Navigator versions 6.1, 6.0.1, and 6.0, as well as Netscape Communicator version 4.79 and earlier, contain the vulnerable Java code. Microsoft’s Virtual Machine through build 3802 are all affected.

Sun reports that the following products are specifically affected.

Microsoft Windows
  • SDK and JRE 1.3.0_02 or earlier
  • SDK and JRE 1.2.2_010 or earlier
  • JDK and JRE 1.1.8_007 or earlier

Solaris operating environment releases
  • SDK and JRE 1.2.2_010 or earlier
  • JDK and JRE 1.1.8_007 or earlier

Solaris production releases
  • SDK and JRE 1.3.0_02 or earlier
  • SDK and JRE 1.2.2_10 or earlier
  • JDK and JRE 1.1.8_13 or earlier

Linux production releases
  • SDK and JRE 1.3.0_02 or earlier
  • SDK and JRE 1.2.2_010 or earlier

This vulnerability does not affect the Java 2 SDK, Standard Edition, versions 1.4 and 1.3.1.

Fix—Update Java VM immediately
Microsoft recommends that users update to Microsoft VM build 3805. Netscape says that Netscape 6.2 and 6.2.1 are not vulnerable, but the company recommends that users of any earlier version update to the newest version of the Sun JVM.

Sun recommends that users update the Java releases listed above with the following software versions.

Microsoft Windows
Solaris OE reference releases
Solaris production releases
Linux production releases
Slow response—Sun doesn’t shine
Both Sun and Microsoft specifically thank Dutch security specialist Harmen van der Wal for bringing this threat to their attention, but according to a Newsbytes report, van der Wal claims that Sun had been sitting on knowledge of this critical threat for nearly a full year before it got around to releasing a fix. Although he expressly thanked Sun for its security efforts, he also blames the company for the 11-month delay. Sun’s bulletin wasn’t released until March 4, 2002, but van der Wal first reported it to Sun on April 7, 2001. He indicated that Sun acknowledged the vulnerability at that time.

In a bulletin on the vulnerability, van der Wal stated that he will not release details about how to exploit the vulnerability for three months, out of concerns that hackers might take advantage of his report. But he also added, “Customers should not assume that the lack of vulnerability details at this time will prevent the creation of exploit programs.”

Editor's Picks

Free Newsletters, In your Inbox