A recently-discovered vulnerability
in the Sun Java Plugin
is a threat to many Web browsers such as Mozilla,
Firefox, and Internet Explorer, and it also affects multiple operating systems.

Details

Of this serious flaw with the Java Plugin, Sun says, “A
vulnerability in the Java Plugin may allow an untrusted applet to escalate
privileges, through JavaScript calling into Java code, including reading and
writing files with the privileges of the user running the applet.”

This threat is platform-independent and can affect any
system with the bad version of Java installed.

Sun directs IT professionals to see the appropriate Mitre
CVE for further information, saying that the issue is described in CAN-2004-1029.
Of course, CVE notes normally provide almost no information so even the Sun
page is more helpful, but read on to see how difficult that can be to locate.

To see Sun-acknowledged vulnerabilities in Java after
November, 2002, Sun advises going to the Sun
Alert Notifications page
. Unfortunately, this is nothing but a search link
and clicking on any of the obvious “patches” or “Security Information” links
along the left side of the page doesn’t give you any information about current
exploits.

The search engine isn’t much help either. For example, if
you look up “SDK,” the last vulnerability listed is from May of 2003. A “JVM”
search locates problems announced in July and September of this year but there
is no mention of the current threat (and a search for “Java” provides
similar results).

The specific problem in this latest Java threat is actually
related to the Java sandbox, which was created to provide a safe place to
execute Java code. However, even if you already know some details of the threat
and search for “Java sandbox,” you won’t find any reports later than a year
old.

Only if you know to click on the “Browse
documents
” link (and then select Sun Alert Notifications) will you
actually find relevant information about the most recent threats.

The new Java Plugin vulnerability in JRE and SDK is listed
in document
57591
, dated November 22, 2004.


Author’s note

Disclosure of this threat was widely disseminated through
various news services in the last few days. By the time you read this, however,
the Sun links may be more prominently displayed on the Sun site.


Applicability

This affects the Java Software Development Kit and Java
Runtime Environment on Solaris, Windows, and Linux. “JDK and JRE 5.0” are not
affected according to Sun, but “SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and
1.4.0 releases, and 1.3.1_12 and earlier” are vulnerable.

Risk level – Severe

This threat can allow attackers to completely bypass Java
security settings. Even more serious, I suspect that the vast majority of users
and even security administrators will remain completely ignorant of this
potential threat or the need to switch VMs or update the Java code on their
systems, so this threat could be around for years to come on a lot of machines,
and the longer it exists the more serious it becomes.

Fix – Upgrade or disable Java

Sun reports that there is “no fix” for this threat and “no
workaround,” and you need to upgrade to newer versions to fix the problem. SDK
and JRE 1.4.2_06 and later and SDK and JRE 1.3.1_13 and later are free of the
problem according to Sun. Downloads are available here.

Although the Sun has nothing to say on the subject, others
have pointed out another obvious solution: disabling Java in your browser will eliminate
the threat completely.

iDEFENSE, which initially notified Sun of the vulnerability,
has several workaround
suggestions
, including disabling either Java or JavaScript (the exploit
depends on a transfer of data between the two). You can also use non-Sun JVMs,
such as the Microsoft VM, which isn’t vulnerable to this threat.


Java security

If you thought that Java has always been relatively secure,
I suggest you check out some of the announcements at
the Princeton University Department of Computer Science site. Multiple flaws
have been discovered in both the Java Virtual Machine (Java Run-time
Environment) and various versions of the Software Developer’s Kit. For an
independent look at Java security, Princeton’s Secure Internet Programming
(SIP) Team has an old
FAQ
posted online, but for current risk assessment and security tips you
probably want to check out Sun’s own Java
Applet Security FAQ
. You can also
check out Sun’s “Chronology of security-related
bugs and issues
,” but you won’t find any recent information there.


Final word

Isn’t it interesting that while vendors are always critical
of security firms that release vulnerability information, it turns out to
almost always be easier to find details about critical threats from those sites
rather than the ones operated by vendors. Do any vendors put a link on their
main opening Web page to provide users and administrators quick links to
current threats? I only ask because I’m curious and don’t know of any that do,
and I suspect that many IT pros are frustrated when they hear rumors of a new
vulnerability and find that they have to be an expert online researcher to get
solid information about the flaw.

In this case, iDEFENSE sent the initial vendor notification
to Sun on June 29, 2004, and didn’t make the public disclosure until November
22, 2004, so its actions were unquestionably highly ethical and Sun credits
them with the discovery. Still, it somehow seems a bit strange to find more
details and analysis of this threat on the iDEFENSE vulnerability page than on
Sun’s security site.

One of the reasons why I am coming down so hard on Sun over
this is because Scott McNealy, Sun’s CEO, is always poking Microsoft with a
stick at conferences and talking about how much more secure Java is than Microsoft’s
alternative.


Also watch for …

  • OS
    News has reported
    that Microsoft will drop plans to provide Service Pack 5 for Windows 2000,
    opting instead for a massive Security Bulletin update.
  • A
    hacker using the nom de guerre “Cyberflash” has published an
    exploit that lets remote attackers bypass warning messages in XP SP2’s
    release of IE 6.0. Find details and a message from the hacker community at
    SecurityTracker.com.
  • Related
    to the main story this week, the Java Sandbox in Opera version 7.54 (and
    perhaps earlier versions) is confirmed to contain the vulnerability that
    allows attackers to create a Java applet that would let them gain access
    to information on the infected system, as well as cause the Opera browser
    to crash. This has been confirmed by the vendor and a patch is available,
    which is good because an exploit is already circulating. According to the report
    on SecurityTracker.com, the affected Opera version can be found on
    virtually any common operating system including Linux, UNIX, and Windows
    versions.