Confusion Rife over 'Brown Orifice' Trojan Horse

FRAMINGHAM (08/14/2000) - More than a week after a Silicon Valley computer consultant found a way to view another computer's files by exploiting Java-related flaws in Netscape Communications Corp. browsers, users remain confused about how best to combat the vulnerability.

But as some of the initial hysteria dies down, there seems to be a consensus that a properly configured corporate firewall should be able to protect enterprise users, at least until Netscape and Sun come up with the necessary repairs.

Both companies barely acknowledged the vulnerabilities uncovered by Dan Brumleve and posted on the BugTraq Web site Aug. 4. Computer security consultants and software vendors were more than willing to fill the information gap, some of them fervidly predicting a digital apocalypse.

It wasn't until last Thursday that Sun finally posted information on what Brumleve called "Brown Orifice," which is a Java applet written by Brumleve to exploit features in Java and, especially, Netscape's implementation of Java security.

Essentially, the Brown Orifice applet secretly downloads to a user's computer and turns it into a Web server. Then, any outsider can surf to the target PC and read any of the files that its user can read. If these files on the user's PC contain passwords or other information about systems on the corporate net, the applet would let this information be seen by an outsider.

The name coined by Brumleve suggests the notorious "Back Orifice" Trojan horse program that appeared in the fall of 1998. That program, which the victim had to be tricked into installing on his or her computer, gave an intruder the same computer access and privileges as the victim. That is, the intruder could use the affected system just like its rightful user.

Brown Orifice, by contrast, is currently a "read only" program. But it can downloaded secretly.

"In my opinion this is very dangerous, because it can be exploited clandestinely without any visible signs to the user, and because all information on their computers, including network shares [i.e., certain files on servers] to corporate information and databases, is being shared," says Chris Wilson, a technical director for RITC, a Cambridge, U.K. software firm that markets a Web calendar system called Caliday. Wilson downloaded the Brown Orifice applet and worked with it.

Wilson says Brown Orifice could potentially be used to download files from internal company servers using FTP or some other protocol. But that, he says, would require "significant modification" of the applet.

Netscape had not returned calls by deadline, and a Sun spokesman said Sun software engineers were tied up working on the problem.

Brumleve's applet exploited two different vulnerabilities, one in version 4.74 and earlier of the Netscape browsers, and the other in earlier versions of Sun's Java Developers Kit (JDK).

According to an e-mail message from Elias Levy of, a security Website that hosts the Bugtraq mailing list, the first vulnerability lets the downloaded applet open a listening network socket and then lets the applet accept outside connections to that socket. The first step apparently is due to a flaw in Netscape's code, and the second step is due to the JDK flaw. Netscape apparently has not updated its software to use the latest JDK.

The second vulnerability appears to be a violation in Netscape's code of the Java security technique called the "sandbox." The sandbox restricts a downloaded applet so it can't access other files. But the Netscape flaw lets the applet read certain local files.

RITC's Wilson said he connected to his computer using Brown Orifice and was able to see a directory listing of all files in the shared directory. "I can download any of them, just as if I was using the Navigator to explore an FTP server," he says. "Brown Orifice also has a bug which allows exploiters to retrieve any file on the system, even outside the 'shared' directory, but apparently this only works on Windows systems."

As of Thursday, Sun's Web site recommended migrating Java products to Java 2 Standard Edition 1.2.1 or higher on Windows PCs, and to 1.2.2 or greater on Solaris and Linux computers. It also recommended modifying Java applets to use a more up-to-date Java Runtime Environment, a solution that may be difficult for network administrators with hundreds or thousands of desktops. Another option is to shut off Java on all client computers, but that requires instructing corporate users on how to do that, and then trusting that they've done it.

But Wilson at RITC says a properly configured firewall will block connections to the outside world from a user's desktop computer. "This is the best precaution," he says.

At least, until Sun and Netscape can come up with a better fix.

Join the newsletter!

Error: Please check your email address.

More about Netscape Communications CorpSecurityFocus

Show Comments