Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Java Programming

Java/Script Alert: Cross-Platform Browser Vulnerability 314

Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are vulnerable to remote command execution. This has been tested on Microsoft, and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)
This discussion has been archived. No new comments can be posted.

Java/Script Alert: Cross-Platform Browser Vulnerability

Comments Filter:
  • Ex-Squeeze-Me?! (Score:4, Insightful)

    by inertia187 ( 156602 ) * on Sunday June 08, 2003 @06:59PM (#6146091) Homepage Journal
    I'm going to stick my neck out here and say, What.In.The.Hell? Who's the editor on-duty here, an Onion stand in?

    First of all, the example made is JavaScript, not Java. Second, the example shows how to bring up a page 23000 seconds after they left the page. Not good, but not new either. So what's the big deal?
    • Re:Ex-Squeeze-Me?! (Score:3, Informative)

      by krisp ( 59093 ) *
      The second link to the page with a java applet which loads an off-site image apears to work in Camino (macos x, based on mozilla source tree). Aparently, it is vulnerable.
    • a duck (Score:5, Informative)

      by Anonymous Coward on Sunday June 08, 2003 @07:24PM (#6146265)
      as reported on the full disclosure list, this doesn't let blackhats execute remote commands (or local, depending on your view point). this is "merely" (bad enough I suppose) a violation of the same-origin policy in javascript.

      the same-origin policy dictates, that any code running, cannot modify anything, which is loaded from another domain. it may not even read from variables.

      more here:
      http://lists.netsys.com/pipermail/full-disc losure/ 2003-June/010200.html
    • Re:Ex-Squeeze-Me?! (Score:3, Informative)

      by Alsee ( 515537 )
      the example made is JavaScript, not Java. Second, the example shows how to bring up a page 23000 seconds after they left the page. Not good, but not new either. So what's the big deal?

      He is proving you can climb over one of the walls in the security system. It looks harmless because what he wrote is harmless in itself. The people capable of fixing the problem also know what you can do once you've climbed that wall. There is an entire history of old attacks that are all sealed off by a single security wall
  • Obligatory rant (Score:5, Insightful)

    by OmniVector ( 569062 ) <se e m y h o mepage> on Sunday June 08, 2003 @07:00PM (#6146097) Homepage
    <rant>
    Java is NOT THE SAME THING as JavaScript.

    Come on slashdot editors, it's not hard to know the difference (this is in reference to the article title).
    </rant>
    • Re:Obligatory rant (Score:2, Informative)

      by rasafras ( 637995 )
      However, it seems to be related to both, hence Java/Script. Read past the title, too.
    • Re:Obligatory rant (Score:3, Interesting)

      by Kircle ( 564389 )
      The article is incorrect. It states:

      "New bugs were discovered in Netscape's implementation of Java has been found which allows a remote site to read any file on the client machine and to set up a Java server which anyone can connect to. Brown Orifice HTTPD starts a Java server which allows others to read files on your machine." Fix: Disable Java immediately

      Netscape does not have an implemention of Java. It does, however, have an implementation of JavaScript.
      • The article is referring back to a vulnerability from 2000. Do a Google search for "Brown Orifice."
      • Re:Obligatory rant (Score:4, Informative)

        by SashaM ( 520334 ) <msasha&gmail,com> on Sunday June 08, 2003 @07:47PM (#6146382) Homepage

        Netscape did have an implementation of Java, which was used in versions 3.xx and 4.xx. Right on top of the paragraph you quote, it says "circa 2000" - it's just a reminder of an older bug.

        Not to say this is an actual Java vulnerability - it's just Javascript fooling the browser into thinking it's download an applet from site A when it's in fact being downloaded from an attacker's site.

  • by Anonymous Coward on Sunday June 08, 2003 @07:02PM (#6146107)
    If you can't be bothered to write out entire words, don't post articles to slashdot.

    It's not like you were tight on space there.
    • RTFA. I copied and pasted it.
      • so you're saying you didn't read it before submitting it? I thought /. protocol was, you're supposed to at least PRETEND to read the articles...
      • by Anonymous Coward
        I love the way people on slashdot don't see anything wrong with coping chunks of text without mentioning that they didn't write it. It's even more ammusing when it happens inline with text they did write, so you can't tell which is which.

        (Apologies if you did write the origional yourself, but I didn;t get the feeling that is the case.

      • I copied and pasted it.

        That's an explanation, but not an excuse. That's why you have editors, to fix things like that. But of course Slashdot editors don't edit.

    • Word up. I mean, WU, you Anon. Cow.. Truth be told, though, I'm far less horrified by this needless abbreviation than I am by the crude abbreviation of vulnerable to 'vuln.' Just what could possbily inspire one to think, "You know, 'vulnerable' is more or less redundant by the time you get to that 'erable' part." How vulg. of you. I'd go so far as to say that you must be stup. and laz. to abbrev. that way. -Since., Anthroboy
  • WTF, over? (Score:4, Interesting)

    by alecto ( 42429 ) on Sunday June 08, 2003 @07:03PM (#6146117) Homepage
    WHAT, exactly does the Java security model have to do with JavaScript--an unfortunately named, but totally different, animal?!
    • Re:WTF, over? (Score:5, Informative)

      by LostCluster ( 625375 ) on Sunday June 08, 2003 @08:13PM (#6146512)
      Simply put, a JavaScript is being used to call for a Java applet after the user has presumably left the page... the result is a Java applet that is permitted to run outside the usual sandbox, and there's your hole.

      Both are flawed...
      • Re:WTF, over? (Score:4, Informative)

        by jilles ( 20976 ) on Monday June 09, 2003 @03:59AM (#6148230) Homepage
        No, it's not running out of the sandbox. The bug is in the javascript which allows the page developer to secretly access a website behind your back. This website happens to also load an applet. Java then applies the usual sandbox restrictions to that website (i.e. you can't go anywhere else, no local file access, etc.).

        The applet can access the same information on your PC as normally (i.e. almost nothing). And the applet can communicate with server applications on on the website. The security risk is the same as with any other applet on any other site. The only difference is that the browser makes the choice of loading it instead of you (just like with popups). You think you're visiting server x and you are redirected to server y.

        The fix for this bug is to fix the javascript implementation. Not a single line of the java implementation needs to be changed for this. Apparently this has been done in Mozilla already.
    • Re:WTF, over? (Score:5, Informative)

      by MillionthMonkey ( 240664 ) on Sunday June 08, 2003 @11:53PM (#6147582)
      WHAT, exactly does the Java security model have to do with JavaScript--an unfortunately named, but totally different, animal?!

      I'm sure you are aware of the recent marketing fiasco at Microsoft, where the company shot itself in the foot by severly diluting its new .NET trademark. Every marketer in the company wanted in on the .NET thing, and soon all product literature from Microsoft was yapping about .NET this, .NET that. Customers were confused as hell. But the .NET trademark dilution wasn't quite invented at Microsoft. Ironically, like most aspects of .NET, it had a previously existing counterpart in the world of Java.

      When JavaScript was originally invented, it was "LiveScript". There was a client version that ran in the browser, and a server version that ran on Netscape servers (and went nowhere). But it was released during the Java applet hype, and marketers at Netscape forced the name change to "JavaScript". Netscape also implemented interfaces between Java and JavaScript so that JavaScript would be more tightly coupled with the crappy JVM that was shipping in Netscape browsers back then. They were actually trying to turn JavaScript into something that would merit the horrible name they gave it.

      Specifically, you could invoke Java methods from JavaScript, and vice versa. For example, assuming you had an applet in the document using the standard <APPLET CODE="AppletClassName"></APPLET> syntax, you could (from JavaScript) call methods on the applet straightforwardly:
      var javaString = document.AppletClassName.toString();
      var javaScriptString = javaString + "";

      The javaString variable was a java.lang.String. You first had to turn it into an ordinary JavaScript string by appending "" to it. Java objects that weren't strings kept their type information in the world of JavaScript, and you could presumably call methods on them. Like, you could get a java.util.Vector, add JavaScript strings to it using addElement(), and then (back in Java) iterate through the Vector. Inside the JVM, the JavaScript strings were objects of type javascript.string or something like that. There were entire javascript.* packages containing Java mappings of JavaScript objects. An applet could acquire JavaScript references to the document, browser, etc. and manipulate JavaScript variables. (This was a long time ago during the boom, when people would actually pay you for knowing stupid stuff like this, so I may be getting the details wrong.)

      Once the browser war heated up, you simply couldn't use any of this crap since Microsoft left it only half implemented in IE. I think that invocations from JavaScript to Java worked in IE, but not the other way around (there was no way to access JavaScript from Java).

      Anyway, the article is vague, my memory of such things is old, and I never really used it more than once or twice. But if there is a hole to speak of, it looks to me like this interface I've described might have something to do with it.

      • Re:WTF, over? (Score:5, Informative)

        by MillionthMonkey ( 240664 ) on Monday June 09, 2003 @03:56AM (#6148220)
        After rereading the securityfocus link (the article itself is nonsensical), it's clear the mechanism I described only has a tangential relationship with this vulnerability.

        You start from the hacker's page X. You click on a link that goes to trusted site Y. Browser loads security policy for Y, before the page X has disappeared from the screen. During those few seconds, any clicks on links in X will execute their onClick() handlers with the privileges of trusted site Y. Where does Java come in? Well, it's hard to write an HTTP server and list directories with JavaScript! So you get an applet to do it for you- which can be done by calling an applet method from onClick(). (Or in other ways, like a popup containing the applet. In fact, onExit() would presumably be an excellent place to put this code.) The incorrect security policy (for Y) is propagated to the Java runtime from JavaScript when the method call is made.

        The bug is in JavaScript, and the timing of the browser's interaction with it. Java is merely brought in to do the dirty work once the malicious JavaScript code has fooled the browser into giving it the security permissions it needs.

        There are many, many more issues than I have discussed. The minimal release is for giving the blackhats time to play.

        I suspect the "minimal release" is because he doesn't understand what he's talking about.

  • Oh darn... (Score:4, Funny)

    by wmspringer ( 569211 ) on Sunday June 08, 2003 @07:04PM (#6146124) Homepage Journal
    Does this mean I have to download a patch for Mozilla tomorrow to fix this? ;-)
  • by ari_j ( 90255 ) on Sunday June 08, 2003 @07:06PM (#6146135)
    That's not ironic. It's unusual, yes, but not ironic.
    • Re:No, Alanis... (Score:5, Informative)

      by thebatlab ( 468898 ) on Sunday June 08, 2003 @07:18PM (#6146230)
      Actually, it could be considered ironic. One of the definitions for ironic is: "Poignantly contrary to what was expected or intended" So, what is generally intended in a browser vulnerability is that IE *will* be affected. It wasn't and therefore is ironic.
      • No, what would be ironic would be if you had a thousand spoons but all you needed was a knife. Or if it rains on your wedding day. Or, especially, if its a free ride but you've already paid.

        I think that song is singlehandedly responsible for most people losing all conception of the meaning of the word "ironic."

  • The article seems to be confused (or at least confusing) on this point. It mumbles about Java, but gives JavaScript examples. I suppose that some Javascript may be being used to do something nasty with Java, but I simply don't get it.

    Can anyone who knows about this sort of stuff point to a more credible analysis?

    • both (Score:4, Informative)

      by Trepidity ( 597 ) <[delirium-slashdot] [at] [hackish.org]> on Sunday June 08, 2003 @07:25PM (#6146272)
      Basically, JavaScript is used to trick the browser into loading an unsandboxed Java applet.
    • What seems be happening here is a confusion by many people. The problem is with Javascript. The problem here is that he is loading some javascript that _should_ only be allowed to run within the same context from which it started. The issue is that he is setting a javascript function to be called after a certain delay, and after loading a new page. After you're redirected this page runs the javascript function. Since this function is run under a different context(the bug), you can load things in the wrong c
  • Maybe, maybe not. (Score:5, Informative)

    by Jade E. 2 ( 313290 ) <slashdot@perlstorm. n e t> on Sunday June 08, 2003 @07:06PM (#6146140) Homepage
    There was a relevant message from Dan Veditz, of the Mozilla securitygroup, on the full discolsure [netsys.com] list just this morning. I'd post the text but the lamesness filter doesn't like it. You can read it here [netsys.com].
    • by Anonymous Coward on Sunday June 08, 2003 @07:10PM (#6146169)
      meme-boi wrote:
      > Synopsis:
      > --------
      >
      > Opera, Mozilla & Netscape with javascript enabled are vulnerable
      > to remote command execution. This has been tested on Microsoft,
      > and many many Unices. Macintosh may also be vuln.

      The exploit example you give is not remote command execution but rather a
      violation of the same origin policy. Unless there are additional details you
      are withholding this same flaw was reported on Bugtraq April 15

      http://www.securityfocus.com/archive/1/318777

      and fixed in Mozilla 1.3

      http://bugzilla.mozilla.org/show_bug.cgi?id=2011 32

      > There are many, many more issues than I have discussed. The minimal
      > release is for giving the blackhats time to play.

      If instead you'd like to give the whitehats time to fix them details would
      be gratefully received by "security" at "mozilla.org"

      -Dan Veditz
      Mozilla security group member
    • So this is an old vulnerability that's been fixed, eh?

      FWIW, this exploit doesn't seem to work against Opera 7.11 for Linux...

    • And, it actually appears to be fixed in Mozilla 1.3. After carefully looking over the exploit code, I ran it, and it failed to do anything. It IS a problem for Mozilla 1.2 though, which many RH 8.0 users still use.

  • by birdman666 ( 144812 ) <ericreid@@@mac...com> on Sunday June 08, 2003 @07:07PM (#6146150) Homepage
    I believe Safari is also immune to this.
  • so which is it? (Score:3, Interesting)

    by jeffy124 ( 453342 ) on Sunday June 08, 2003 @07:07PM (#6146151) Homepage Journal
    Headline says Java, writeup says JavaScript, Hemos update references both. Turning off JavaScript does not affect the Java plugins. Turning off the Java plugin does not turn off JavaScript.

    So which is it?
    • Perahps you shoudl read the artical or some of a comments posted above you?
      • that's just it. I have. And I've gone back and read other posts. It's not clear. Some say bug in Javascript, others say bug in java's security manager implementation. It's confusing.

        The article uses javascript code, calls up a window, but the discussion makes references Java. In the article opening, he says browsers with javascript enabled, but then says to disable java. Hence, confusion, even among slashdot posters.

        Had javascript not have that name, this would not be a problem, but unfortunately t
    • It involves both. Read the article.
      • read my other post in this thread. I have read the article. Several times. I'm still lost.

        If it's both - the author of the bugtraq post did a very poor job of making that clear. Then again, he didnt make it clear he knows the basic difference between Java and JavaScript.
  • Thats OK, I couldnt even install the java plugin on linux, because apparently the java plugin was compiled with pre 3.X gcc and mozilla 1.4 itself was compiled with gcc 3+, is there a compatible java plugin for recent mozilla somewhere?
    • Are you using the official mozilla release, or a differently packaged one such as the one in Debian unstable?

      I believe the official mozilla.org nightlies & releases are still compatible with pre-g++ 3.2 plugins.
    • Just FYI: you can get a gcc 3.X compiled java from www.blackdown.org
    • You can get the java sdk & re compiled with either GCC 2.95 or GCC 3.2 from the blackdown mirrors. You should find the closest mirror to you from the blackdown.org website. Here's the path to the GCC 3.2 version of the 1.4.1 sdk which is hosted at ftp.tux.org: /pub/java/JDK-1.4.1/i386/01/j2sdk-1.4.1-01-linux-i 586-gcc3.2.bin
  • KDE unaffected (Score:3, Informative)

    by yanestra ( 526590 ) * on Sunday June 08, 2003 @07:08PM (#6146158) Journal
    konqueror doesn't show this - whatever you call it.
  • So... (Score:4, Funny)

    by Faust7 ( 314817 ) on Sunday June 08, 2003 @07:09PM (#6146163) Homepage
    Let no hat, black white or grey, wander in on or about the www without fear.

    ...Red's up in the air, then?

  • There is no problem with the Java security model. The worst that can happen is a bad implementation of it allows applets to do something they're not allowed to.

    But this isn't even about Java, it's about Javascript. Had it been about Java, you'd see a list of affected Java Virtual Machines, not browsers.

    • There is no problem with the Java security model. The worst that can happen is a bad implementation of it allows applets to do something they're not allowed to.

      The problem with Java's security model is that it trusts the browser to pass it true information... so when JavaScript misbehaves Java trusts the false information its passed which causes it to misbehave as well.

      Sorry, preventing applets from doing things they're not allowed to is the whole point of the security model...
  • Whoever wrote this article has a third-grade knowledge of English and way too many rap CDs. "Werd"!!!
    • That's ok; some guys post vulnerabilities on bugtraq riddled with "dis" and "dat" instead of "this" and "that" and comments about 9th-grade math homework and granny porn. Ugh.
  • The advisory states that Internet Explorer isn't affected by this vulnerability. Before someone else states it, I'll get them out of the way, silly as they may be:
    • "This must have been posted by Microsoft as FUD to get people to stay away from superior products! It's all a trick! Don't listen!"
    • "What's up Taco? I thought April Fools had passed!"
    • "Javascript serves no purpose ever, and why anyone would ever use it is beyond me!"
    • "This is why we should all be using IE. I've never had a problem with IE security! Linux [l]users sux0rs!"
    Did I miss any?
  • Ouch (Score:4, Insightful)

    by Faust7 ( 314817 ) on Sunday June 08, 2003 @07:12PM (#6146183) Homepage
    if you turn off JavaScript, you turn off the vulnerability.

    Man, talk about a one-liner to give the anti-Java folks.
    • if you turn off JavaScript, you turn off the vulnerability.
      Man, talk about a one-liner to give the anti-Java folks.
      Last time I checked, Java and JavaScript were completely different.
      • Last time I checked, Java and JavaScript were completely different.

        You know that, and I know that, but the sorts of people on which one-liners tend to work will either conveniently forget or actually not know that.
    • Reminds me of a the familiar anecdote: How do you keep your network completely secure? Unplug it.
  • Safari is immune (Score:2, Informative)

    by Anonymous Coward
    I just tested with both Safari v74 (1.0b2) and v48 (1.0b), the example hack provided in the link did not work.
  • This seems bogus. (Score:5, Insightful)

    by pegacat ( 89763 ) on Sunday June 08, 2003 @07:19PM (#6146232) Homepage

    At first blush this seems plain wrong.

    There's not really enough evidence in the post to go on, but the example exploit is pure nuisence java script, which has nothing to do with java

    Reference is made in the text to ancient *java* bugs, but no detail is given as to how they might be related to the current, claimed bug.

    If there's more here than meets the eye I'd like to see it, but there doesn't seem to be any meat in this announcement, it seems to be just a historical retrospective and an annoying-but-not-dangerous-or-new snippet of javascript.

    Am I missing something here?

  • > which allows a remote site to read any file on the
    > client machine

    I doubt that.
  • Am I the only one that just read the bug and had trouble taking this guy seriously?
  • but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability



    In other news...if you knock your house down it won't get robbed.
  • trainwreck (Score:5, Interesting)

    by anotherone ( 132088 ) on Sunday June 08, 2003 @07:34PM (#6146322)
    Between the awful writing in the article, the broken examples, the Java/Javascript confusion, and the contrarian IE-is-safe-but-mozilla-isn't thing; this may very well be the worst slashdot story ever.
    • by fm6 ( 162816 )
      Surely you jest. What about all those "Ask Slashdot: What's a computer" stories? Not to mention Aimee Deep!
  • Obviously Microsoft has secretly bought out Slashdot. Nothing else could explain the disinformation quality of this article.

    "Java/Script"! Catch/it! It's/hot!

  • Konqueror...
    Mozilla fonts suck and I don't like that AOL has a finger or two in the pie.
    Opera for M$ is nice but sucks on Linux..
    No probs here.....

  • Ouch, again! (Score:5, Informative)

    by theolein ( 316044 ) on Sunday June 08, 2003 @08:36PM (#6146630) Journal
    Slashdot, you're like a second home to me, but please don't post stories like this any more. It's embarrasing. Try to look at the article, read it and evaluate it for validity before posting it.

    For the record, the Java vulnerabilities the decidedly juvenile post is talking about is the bohttpd java vulnerability that existed in netscape 4.7 browsers up to 4.76 I think it was, where the exploit enabled the jvm to turn into a http server for the whole filesystem. This was around 1999 to 2000 I think.

    However, this post has nothing whatsoever to do with java. It reads far more as if some teenager has just discovered that one can do some funky stuff with javascript, such as function callbacks, crossframe clowning around and a bit of childish mischief such as opening a miniwindow with a script to track the users movements, as a lot of pornon sites do.

    Congratulations, kid, next thing you know, they'll be calling you Mitnik ;)
    • by Sonicated ( 515345 ) on Sunday June 08, 2003 @09:24PM (#6146894)
      Slashdot, you're like a second home to me, but please don't post stories like this any more. It's embarrasing. Try to look at the article, read it and evaluate it for validity before posting it.

      Aww, that almost brings a tear to my eye. I'm going to hate to see how the dupe affects you..

      :)
  • You must be joking (Score:3, Interesting)

    by bgarrett ( 6193 ) <[garrett] [at] [memesis.org]> on Sunday June 08, 2003 @08:46PM (#6146686) Homepage
    One of the linked pages provides a list of several vulnerabilities, one of which was announced recently.

    If slashdot is going to post stories for subscribers well in advance, can it put some of its filthy lucre toward hustling some subscriptions from computer professionals of long experience, people literate in the English language, and other hard-to-find folks to fact-check BEFORE yet another elementary blunder makes the front page?
  • 1) *nix folks that aren't running the browser as root are safe from this issue, right? Assuming so, once again, *nix (and recent Wins) have demonstrated the necessary damage control of user-level code control.

    2) If full-disclosure becomes frowned upon in the industry [slashdot.org], wouldn't this be VERY BAD for non-proprietary systems? Specifically - If MSFT and Security-focus (et al.) don't disclose bugs like these, wouldn't it be an extremely powerful tool for both political and technical sabotage? I mean, what cou
  • I went to the address the kiddie provided for his "live mild example" and it managed to . . . throw an error in the JavaScript console. Wow. Real impressive 'sploit there, kid. What's next? Cross-Platform Annoying Alert Window?

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...