Jan 28, 2000 Translator's note: We announce another security hole of Microsoft Virtual Machine  (Microsoft VM) for Java, including the latest version. This is the translation version of the warning note (written in Japanese) by Dr. Hiromitsu Takagi posted at the Java House Mailing List, a Japanese Java user discussion site (http://java-house.etl.go.jp/ml/ . Japanese fonts required to display). The finding is summarized after numerical tests and discussion among the members. Mr. Kensuke Tada originated the discussion. The translation is made available by Dr. Tomohira Tabata (ttabata@ucsd.edu) for his friends and others who may be benefit from the information. Please note that Dr. Tomohira Tabata has no responsibility on mistranslation on this document. The finding is: This security vulnerability allows a Java applet to read out any files on certain directories. A simple code attacks the security hole. Since a beginning Java programmer can exercise one, all users should be noted. Its vulnerability is quite dangerous and immediate de-activation of IE Java function provided by Microsoft is highly recommended; possibly changing to Netscape Navigator, Communicator or Sun Java Plug-in by the time Microsoft providing a "fix". The body of the warning note by Dr. Hiromitsu Takagi: ---------------------------------------------------------------------------------------------------------- This is a warning for all users of Microsoft Internet Explorer version 4 and 5 (IE4, IE5) for Microsoft Windows95/98/NT. This security hole is closely CLASSPATH for Java users and especially for the Java Developer; the note is posted. Vulnerability ------------- This security vulnerability allows a Java applet to read any "known files", which are common to most configuration. A hosted web site is able to retrieve file information through the applet code automaticallyspecific files which popular applications hold, and files with common names which users occasionally choose, This does not allow any change or deletion of local files. We still believe this vulnerability is quite dan Detail description ------------------ The readable directories and their sub directories could be limited,will be read, Except of Windows NT that is home directory of each user profile set. C:\Windows\desktoWe suspect this variation comes from the version of Microsoft VM for Java, not the version of IE. Unfortunately as a much serious case, if you set the environment variable CLASSPATH at C:\AUTOEXEC.BAT, the files and directories under the directories set in CLASSPATH are all readable. Java programmers should be aware of tfor their applications. How to be attacked ------------------ You may get attacked indeed just accessing When accessing the web site, the applet is downloaded and invoked on your computer, and then sends files on InputStream is = ClassLoader.getSystemResourceAsStream(filename); This single line makes an applet read an email. There would be already such an applet made by a malicious programmer, and placed on a web page in secret. Demonstration of attacking the security hole -------------------------------------------- You can try a demonstration applet on the following URL, (don't worry, it just reads you back your e.g. autoexec.bwill see the content with specifying the file name with the directory name. When you receive the message "to read or find the specified file. However, this might means only that the applet searched the different d Work-around ----------- Stop Microsoft's Java function until a patch provided. Instruction for IE4 users: Follow "View" menu, "Internet Options...", "Security" tab, "Custom (for expert users)", and "Setting..." bAlternative for utilizing Java: - Use Netscape Navigator or Communicator instead of IE. - Use Sun Java Plug-in for IE. See http://java.sun.com/products/plugin/index.html List of vulnerable applications with versiothe members ------------------------------------------------------------------------------------ Microsoft (R) VM for Java, 5.0 Release 5.0.0.3234 (the latest version, as of Jan 28, 2000) and earlier Note that no sNo. This is a simple mis-implementation (a bug) of Microsoft Java VM. It does NOT mean Java has a structural Motivation of this note ----------------------- We are aware that full disclosure of security holes informpeople informed. After fighting this dilemma, we believe the benefit of users, such as awareness of existing(See the following URLs). http://www.news.com/News/Item/0,4,41084,00.html?feed.cnetbriefs http://news.cnet.c - This issue is already known by thousands of members of our mailing list. Even if we hid the code, anyone them to provide a patch immediately, and to announce it on media such as newspaper so that all of Windows us The following is the Microsoft's response; -- Due to development issue, we can not guarantee to fix it as From this answer, we could not be convinced if users get secured soon. In addition, they mentioned they coulthis issue to Java communities. (Translator's note: Dr. Takagi gave Microsoft Corp. in Japan a call on Jan 2Acknowledgement --------------- This security hole is happened to be found when we discussed programming method to read files on Jar archives. As a start point, Mr. Tada reported his applet read files on Desktop unereport, Mr. Amemiya indicated it was a security hole. I, Dr. Takagi, reported readable directories were not Related articles ---------------- [j-h-b:30281] [j-h-b:30283] [j-h-b:30284] [j-h-b:30285] [j-h-b:30303] [j-h-b:30321] [j-h-b:30323] [j-h-b:30324] [j-h-b:30325] [j-h-b:30327] [j-h-b:30331] [j-h-b:30332] [j-h-b:30333] [j-h-b:30334] [j-h-b:30338] [j-h-b:30351] [j-h-b:30352] [j-h-b:30353] [j-h-b:30354] [j-h-b:30355] [j-h-b:3http://www.etl.go.jp/~takagi/ Acknowledgement from translator ------------------------------- I would like to thank Dr. Hiromitsu Takagi (takagi@etl.go.jp) and Mr. Ryoji Sumida (ryo@idt.net) for kind helps. Tomohira Tabata (ttabata@ucsd.edu), Ph.D., postgraduate research engineer, ECE UCSD, 9500 Gilman Drive, La Jolla, CA 92093-0407, USA