Serious Java hole affects multiple operating systems
John McCormick
28 March 2002 02:24 PM
Tags: web traffic, serious java hole affects multiple operating systems, java runtime environment, techrepublic, jre, sdk, sun
Several versions of the Java Virtual Machine that have been in use for years contain a serious vulnerability.
Although the problem was only recently disclosed, Sun has apparently known for 11 months that the Java RunTime Environment code contains a flaw that could allow an attacker to capture sensitive data by redirecting Web traffic.
Threat levelââ,¬"Critical
Microsoft reports that this problem is a threat to anyone who connects to the Internet through a proxy server. A remote server could use a hostile Java applet to hijack the user's HTTP connection to the proxy. It's more than a bit ironic that proxy servers are normally used to improve security but the bug could allow attackers to redirect proxy Web traffic to a new destination.
Applicabilityââ,¬"Any HTTP proxy server
Microsoft was the first to release a patch for this problem (MS02-013), but the threat isn't confined to Internet Explorer users. This vulnerability also affects Netscape Navigator and Sun platforms. The Sun security bulletin HttpURLConnection is #00216. Mitre identifies this vulnerability in report CAN-2002-0058. Again, any system with an HTTP proxy server could be at risk.
According to Sun Microsystems, Netscape Navigator versions 6.1, 6.0.1, and 6.0, as well as Netscape Communicator version 4.79 and earlier, contain the vulnerable Java code. Microsoft's Virtual Machine through build 3802 are all affected.
Sun reports that the following products are specifically affected.
Microsoft Windows
SDK and JRE 1.3.0_02 or earlier
SDK and JRE 1.2.2_010 or earlier JDK and JRE 1.1.8_007 or earlier
Solaris operating environment releases
SDK and JRE 1.2.2_010 or earlier
JDK and JRE 1.1.8_007 or earlier
Solaris production releases
SDK and JRE 1.3.0_02 or earlier
SDK and JRE 1.2.2_10 or earlier
JDK and JRE 1.1.8_13 or earlier
Linux production releases
SDK and JRE 1.3.0_02 or earlier
SDK and JRE 1.2.2_010 or earlier
This vulnerability does not affect the Java 2 SDK, Standard Edition, versions 1.4 and 1.3.1.
Fixââ,¬"Update Java VM immediately
Microsoft recommends that users update to Microsoft VM build 3805. Netscape says that Netscape 6.2 and 6.2.1 are not vulnerable, but the company recommends that users of any earlier version update to the newest version of the Sun JVM.
Sun recommends that users update the Java releases listed above with the following software versions.
Microsoft Windows
SDK and JRE 1.4
SDK and JRE 1.3.1_02
SDK and JRE 1.2.2_011
JDK and JRE 1.1.8_009
Solaris OE reference releases
SDK and JRE 1.2.2_011
JDK and JRE 1.1.8_009
Solaris production releases
SDK and JRE 1.4
SDK and JRE 1.3.1_02
SDK and JRE 1.2.2_11
JDK and JRE 1.1.8_15
Linux production releases
SDK and JRE 1.4
SDK and JRE 1.3.1_02
SDK and JRE 1.2.2_011
Slow responseââ,¬"Sun doesn't shine
Both Sun and Microsoft specifically thank Dutch security specialist Harmen van der Wal for bringing this threat to their attention, but according to a Newsbytes report, van der Wal claims that Sun had been sitting on knowledge of this critical threat for nearly a full year before it got around to releasing a fix. Although he expressly thanked Sun for its security efforts, he also blames the company for the 11-month delay. Sun's bulletin wasn't released until March 4, 2002, but van der Wal first reported it to Sun on April 7, 2001. He indicated that Sun acknowledged the vulnerability at that time.
In a bulletin on the vulnerability, van der Wal stated that he will not release details about how to exploit the vulnerability for three months, out of concerns that hackers might take advantage of his report. But he also added, -Customers should not assume that the lack of vulnerability details at this time will prevent the creation of exploit programs."
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
