Programmers at Princeton University have discovered a crack in the security system of Netscape Communications' Java Virtual Machine (JVM) that would allow a malicious applet to shred all the security controls in Navigator 4.0, giving it free reign to modify or delete files.
As in a number of other flaws, the latest one occurs in the implementation of the "ClassLoader" mechanism responsible for handling the dynamic linking capabilities in Java. While JavaSoft made changes to correct just such problems in its JDK 1.1 and 1.2 betas, the ClassLoaders remain unsafe, according to Princeton programmers.
In a letter sent to developers, Ed Felten, a member of Princeton's Secure Internet Programming Lab, said "a malicious ClassLoader can still override the definition of built-in "system" types like java.lang.Class," which can lead to a subversion of Java's security system and cause a security breach.
Felten said the Princeton labs have been able to demonstrate an applet that deletes files.
Netscape officials said, however, they have posted a fix in the beta release 4.5 of Navigator and will also make that fix available in the upcoming maintenance release due to ship shortly.
"The vulnerability that occurs is in the Java sandbox. Our engineers did a lot of testing around this and we believe that what we posted in 4.5 fixes the vulnerability that Princeton has reported," a Netscape representative said.
Despite the fix, some observers worry about the exposure millions of existing users of Navigator 4.x face. It could be a year before the growing installed base of 4.x users are aware of the problem and download the fix.
"There is usually a 12- to 24-month lag time between when Netscape releases a browser and when most people start using it. I think this bug is the worst of all bugs because it is real, not theoretical. If that applet got out of Princeton, there will be some real trouble," said one long-time developer.
Some think if such an applet made its way to a server, and then to an HTML e-mail message capable of referencing that applet and causing it to run, there could be widespread damage.
The bug is not exploitable however unless the perpetrator has a secondary flaw at his disposal, which happens to be available in versions of Netscape 4.X, according to the letter. The letter added, however, that the Princeton programmers were not aware of any secondary flaws in Microsoft's and Sun's most current versions of Java.
"This security hole allows a Java applet to install a virus or trojan horse on a victim's computer system or damage a system directly by deleting disk files," said one East Coast developer aware of the flaw. "This hole becomes an e-mail issue because an HTML-based message can contain Java applets. The e-mail reader in Netscape, by default, will execute Java applets when an e-mail message is read.''
More information on the security flaw can be found at http://www.cs.princeton.edu/sip/History.html/.