Java/Script Alert: Cross-Platform Browser Vulnerability 314
Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are
vulnerable
to remote command execution. This has been tested on Microsoft,
and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)
Ex-Squeeze-Me?! (Score:4, Insightful)
First of all, the example made is JavaScript, not Java. Second, the example shows how to bring up a page 23000 seconds after they left the page. Not good, but not new either. So what's the big deal?
Re:Ex-Squeeze-Me?! (Score:3, Informative)
Re:Ex-Squeeze-Me?! (Score:3, Informative)
This [hungry.com] page opens up a BBC java nav bar, which, according to the java security model, should not be able to. I tested this with MSIE for Mac, and the bar was not loaded. Mozilla Firebird for OSX also loads the applet (im)properly
Re:Ex-Squeeze-Me?! (Score:4, Insightful)
Furthormore, I don't see how this applet violates the java security model. After running a netstat, I did not see a connection to www.hq.af.mil.
Re:Ex-Squeeze-Me?! (Score:2)
a duck (Score:5, Informative)
the same-origin policy dictates, that any code running, cannot modify anything, which is loaded from another domain. it may not even read from variables.
more here:
http://lists.netsys.com/pipermail/full-dis
Re:Ex-Squeeze-Me?! (Score:3, Informative)
He is proving you can climb over one of the walls in the security system. It looks harmless because what he wrote is harmless in itself. The people capable of fixing the problem also know what you can do once you've climbed that wall. There is an entire history of old attacks that are all sealed off by a single security wall
Obligatory rant (Score:5, Insightful)
Java is NOT THE SAME THING as JavaScript.
Come on slashdot editors, it's not hard to know the difference (this is in reference to the article title).
</rant>
Re:Obligatory rant (Score:2, Informative)
Re:Obligatory rant (Score:5, Funny)
Re:Obligatory rant (Score:3, Informative)
Re:Obligatory rant (Score:3, Interesting)
"New bugs were discovered in Netscape's implementation of Java has been found which allows a remote site to read any file on the client machine and to set up a Java server which anyone can connect to. Brown Orifice HTTPD starts a Java server which allows others to read files on your machine." Fix: Disable Java immediately
Netscape does not have an implemention of Java. It does, however, have an implementation of JavaScript.
Re:Obligatory rant (Score:2)
Re:Obligatory rant (Score:4, Informative)
Netscape did have an implementation of Java, which was used in versions 3.xx and 4.xx. Right on top of the paragraph you quote, it says "circa 2000" - it's just a reminder of an older bug.
Not to say this is an actual Java vulnerability - it's just Javascript fooling the browser into thinking it's download an applet from site A when it's in fact being downloaded from an attacker's site.
"Macintosh may also be vuln." (Score:4, Funny)
It's not like you were tight on space there.
Re:"Macintosh may also be vuln." (Score:2, Interesting)
Re:"Macintosh may also be vuln." (Score:2)
Re:"Macintosh may also be vuln." (Score:2)
Re:"Macintosh may also be vuln." (Score:2, Insightful)
(Apologies if you did write the origional yourself, but I didn;t get the feeling that is the case.
Re:"Macintosh may also be vuln." (Score:2)
That's an explanation, but not an excuse. That's why you have editors, to fix things like that. But of course Slashdot editors don't edit.
Re:"Macintosh may also be vuln." (Score:3, Funny)
WTF, over? (Score:4, Interesting)
Re:WTF, over? (Score:5, Informative)
Both are flawed...
Re:WTF, over? (Score:4, Informative)
The applet can access the same information on your PC as normally (i.e. almost nothing). And the applet can communicate with server applications on on the website. The security risk is the same as with any other applet on any other site. The only difference is that the browser makes the choice of loading it instead of you (just like with popups). You think you're visiting server x and you are redirected to server y.
The fix for this bug is to fix the javascript implementation. Not a single line of the java implementation needs to be changed for this. Apparently this has been done in Mozilla already.
Re:WTF, over? (Score:5, Informative)
I'm sure you are aware of the recent marketing fiasco at Microsoft, where the company shot itself in the foot by severly diluting its new
When JavaScript was originally invented, it was "LiveScript". There was a client version that ran in the browser, and a server version that ran on Netscape servers (and went nowhere). But it was released during the Java applet hype, and marketers at Netscape forced the name change to "JavaScript". Netscape also implemented interfaces between Java and JavaScript so that JavaScript would be more tightly coupled with the crappy JVM that was shipping in Netscape browsers back then. They were actually trying to turn JavaScript into something that would merit the horrible name they gave it.
Specifically, you could invoke Java methods from JavaScript, and vice versa. For example, assuming you had an applet in the document using the standard <APPLET CODE="AppletClassName"></APPLET> syntax, you could (from JavaScript) call methods on the applet straightforwardly:
var javaString = document.AppletClassName.toString();
var javaScriptString = javaString + "";
The javaString variable was a java.lang.String. You first had to turn it into an ordinary JavaScript string by appending "" to it. Java objects that weren't strings kept their type information in the world of JavaScript, and you could presumably call methods on them. Like, you could get a java.util.Vector, add JavaScript strings to it using addElement(), and then (back in Java) iterate through the Vector. Inside the JVM, the JavaScript strings were objects of type javascript.string or something like that. There were entire javascript.* packages containing Java mappings of JavaScript objects. An applet could acquire JavaScript references to the document, browser, etc. and manipulate JavaScript variables. (This was a long time ago during the boom, when people would actually pay you for knowing stupid stuff like this, so I may be getting the details wrong.)
Once the browser war heated up, you simply couldn't use any of this crap since Microsoft left it only half implemented in IE. I think that invocations from JavaScript to Java worked in IE, but not the other way around (there was no way to access JavaScript from Java).
Anyway, the article is vague, my memory of such things is old, and I never really used it more than once or twice. But if there is a hole to speak of, it looks to me like this interface I've described might have something to do with it.
Re:WTF, over? (Score:5, Informative)
You start from the hacker's page X. You click on a link that goes to trusted site Y. Browser loads security policy for Y, before the page X has disappeared from the screen. During those few seconds, any clicks on links in X will execute their onClick() handlers with the privileges of trusted site Y. Where does Java come in? Well, it's hard to write an HTTP server and list directories with JavaScript! So you get an applet to do it for you- which can be done by calling an applet method from onClick(). (Or in other ways, like a popup containing the applet. In fact, onExit() would presumably be an excellent place to put this code.) The incorrect security policy (for Y) is propagated to the Java runtime from JavaScript when the method call is made.
The bug is in JavaScript, and the timing of the browser's interaction with it. Java is merely brought in to do the dirty work once the malicious JavaScript code has fooled the browser into giving it the security permissions it needs.
There are many, many more issues than I have discussed. The minimal release is for giving the blackhats time to play.
I suspect the "minimal release" is because he doesn't understand what he's talking about.
Oh darn... (Score:4, Funny)
Re:Oh darn... (Score:4, Informative)
No, Alanis... (Score:3, Funny)
Re:No, Alanis... (Score:5, Informative)
Re:No, Alanis... (Score:2)
I think that song is singlehandedly responsible for most people losing all conception of the meaning of the word "ironic."
Re:No, Alanis... (Score:3, Insightful)
Re:No, Alanis... (Score:2, Informative)
Java or Javascript? (Score:2, Redundant)
Can anyone who knows about this sort of stuff point to a more credible analysis?
both (Score:4, Informative)
Re:Java or Javascript? (Score:2)
Maybe, maybe not. (Score:5, Informative)
Re:Maybe, maybe not. - The text of the above (Score:5, Informative)
> Synopsis:
> --------
>
> Opera, Mozilla & Netscape with javascript enabled are vulnerable
> to remote command execution. This has been tested on Microsoft,
> and many many Unices. Macintosh may also be vuln.
The exploit example you give is not remote command execution but rather a
violation of the same origin policy. Unless there are additional details you
are withholding this same flaw was reported on Bugtraq April 15
http://www.securityfocus.com/archive/1/318777
and fixed in Mozilla 1.3
http://bugzilla.mozilla.org/show_bug.cgi?id=201
> There are many, many more issues than I have discussed. The minimal
> release is for giving the blackhats time to play.
If instead you'd like to give the whitehats time to fix them details would
be gratefully received by "security" at "mozilla.org"
-Dan Veditz
Mozilla security group member
Re:Maybe, maybe not. (Score:2)
So this is an old vulnerability that's been fixed, eh?
FWIW, this exploit doesn't seem to work against Opera 7.11 for Linux...
Re:Maybe, maybe not. (Score:2)
And, it actually appears to be fixed in Mozilla 1.3. After carefully looking over the exploit code, I ran it, and it failed to do anything. It IS a problem for Mozilla 1.2 though, which many RH 8.0 users still use.
IE isn't the only one not vuln (Score:3, Informative)
Re:IE isn't the only one not vuln (Score:2)
so which is it? (Score:3, Interesting)
So which is it?
Re:so which is it? (Score:2)
Re:so which is it? (Score:2)
The article uses javascript code, calls up a window, but the discussion makes references Java. In the article opening, he says browsers with javascript enabled, but then says to disable java. Hence, confusion, even among slashdot posters.
Had javascript not have that name, this would not be a problem, but unfortunately t
Re:so which is it? (Score:2)
Re:so which is it? (Score:2)
If it's both - the author of the bugtraq post did a very poor job of making that clear. Then again, he didnt make it clear he knows the basic difference between Java and JavaScript.
Linux protects me well. (Score:2, Funny)
Re:Linux protects me well. (Score:2)
I believe the official mozilla.org nightlies & releases are still compatible with pre-g++ 3.2 plugins.
Re:OT Linux protects me well. (Score:2)
Re:Linux protects me well. (Score:2, Informative)
KDE unaffected (Score:3, Informative)
So... (Score:4, Funny)
Re:So... (Score:2)
Not the security model, not even Java! (Score:2)
There is no problem with the Java security model. The worst that can happen is a bad implementation of it allows applets to do something they're not allowed to.
But this isn't even about Java, it's about Javascript. Had it been about Java, you'd see a list of affected Java Virtual Machines, not browsers.
Re:Not the security model, not even Java! (Score:2)
The problem with Java's security model is that it trusts the browser to pass it true information... so when JavaScript misbehaves Java trusts the false information its passed which causes it to misbehave as well.
Sorry, preventing applets from doing things they're not allowed to is the whole point of the security model...
Who wrote this? (Score:2)
Re:Who wrote this? (Score:2)
Timesaver - The most common comments you'll see (Score:5, Funny)
-
"This must have been posted by Microsoft as FUD to get people to stay away from superior products! It's all a trick! Don't listen!"
-
"What's up Taco? I thought April Fools had passed!"
- "Javascript serves no purpose ever, and why anyone would ever use it is beyond me!"
- "This is why we should all be using IE. I've never had a problem with IE security! Linux [l]users sux0rs!"
Did I miss any?Re:Timesaver - The most common comments you'll see (Score:2)
HA! It IS a Microsoft problem! I KNEW IT!!!
The marketting arguments that didn't it (Score:2)
2) Internet Explorer, for when you absolutely must not be affected by the 1 vulnerability found in Opera and Mozilla.
3) If you divide the number of bugs found in IE (30) by its userbase (98%) you'll find our product is only 30% defective whereis if you divide their number of bugs (1) against their userbase (2%) you'll find a product that is 50% defective. We all know that the number of bugs varies with the number of users, not the code quality. Right...... right?
Re:Timesaver - The most common comments you'll see (Score:2, Funny)
I'd say so, considering 90% of the posts below are complaining about the fact that Java and Javascript were mentioned in the same article.
Re:Timesaver - The most common comments you'll see (Score:2)
If I threw XUL at you, could you 'access' it?
Ouch (Score:4, Insightful)
Man, talk about a one-liner to give the anti-Java folks.
Re:Ouch (Score:2)
Quite, but... (Score:2)
You know that, and I know that, but the sorts of people on which one-liners tend to work will either conveniently forget or actually not know that.
Reminds me... (Score:2)
Safari is immune (Score:2, Informative)
This seems bogus. (Score:5, Insightful)
At first blush this seems plain wrong.
There's not really enough evidence in the post to go on, but the example exploit is pure nuisence java script, which has nothing to do with java
Reference is made in the text to ancient *java* bugs, but no detail is given as to how they might be related to the current, claimed bug.
If there's more here than meets the eye I'd like to see it, but there doesn't seem to be any meat in this announcement, it seems to be just a historical retrospective and an annoying-but-not-dangerous-or-new snippet of javascript.
Am I missing something here?
Read _Any_ File? (Score:2)
> client machine
I doubt that.
Re:Read _Any_ File? (Score:2, Funny)
That's why I keep my any file hidden away, accessible only by pressing the any key.
Huh? (Score:2)
Javascript will kill your dog (Score:2)
but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability
In other news...if you knock your house down it won't get robbed.
Re:Javascript will kill your dog (Score:2)
Yeah because suddenly the internet stops working when you turn off JavaScript.
trainwreck (Score:5, Interesting)
Re:trainwreck (Score:3, Funny)
obviously (Score:2)
"Java/Script"! Catch/it! It's/hot!
This is why I use (Score:2)
Mozilla fonts suck and I don't like that AOL has a finger or two in the pie.
Opera for M$ is nice but sucks on Linux..
No probs here.....
Ouch, again! (Score:5, Informative)
For the record, the Java vulnerabilities the decidedly juvenile post is talking about is the bohttpd java vulnerability that existed in netscape 4.7 browsers up to 4.76 I think it was, where the exploit enabled the jvm to turn into a http server for the whole filesystem. This was around 1999 to 2000 I think.
However, this post has nothing whatsoever to do with java. It reads far more as if some teenager has just discovered that one can do some funky stuff with javascript, such as function callbacks, crossframe clowning around and a bit of childish mischief such as opening a miniwindow with a script to track the users movements, as a lot of pornon sites do.
Congratulations, kid, next thing you know, they'll be calling you Mitnik
Re:Ouch, again! (Score:5, Funny)
Aww, that almost brings a tear to my eye. I'm going to hate to see how the dupe affects you..
You must be joking (Score:3, Interesting)
If slashdot is going to post stories for subscribers well in advance, can it put some of its filthy lucre toward hustling some subscriptions from computer professionals of long experience, people literate in the English language, and other hard-to-find folks to fact-check BEFORE yet another elementary blunder makes the front page?
2 Things - (Score:2)
2) If full-disclosure becomes frowned upon in the industry [slashdot.org], wouldn't this be VERY BAD for non-proprietary systems? Specifically - If MSFT and Security-focus (et al.) don't disclose bugs like these, wouldn't it be an extremely powerful tool for both political and technical sabotage? I mean, what cou
Re:2 Things - (Score:2)
You may notice, however, that I did give them due propers for recently (win2k/XP) not running apps by default as the root/Admin user.
I give credit where credit is due. They have earned any credit that I have extended to them, and conversely - they hav
Wow. (Score:2)
Re:Ironic? (Score:2, Funny)
Isn't Mozilla more accountable? (Score:4, Insightful)
It would seem to me that the opposite is true. Mozilla goes out of their way to make it easy to report bugs and problems, while with MSIE all there is is a feedback thing buried in the Help menu that is likely a black hole resulting in nothing but spam.
Microsoft has a habit of leaving bugs and problems in place for years, while the Mozilla guys appear to be much more responsive. After all, they killed popups for their browser.
In other words, it seems to me that Mozilla has a much better and much more developed "improve the product and get rid of bugs" system going than Microsoft does for MSIE.
(I'm still waiting for MS to turn on the "bottom of the browser line that shows links, progress, etc" that they removed.)
"You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers"
The Mozilla guys are much more accountable: look at the forums they have for dealing with problems. Also, they have to be accountable or people will choose "No Mo' !". In contrast, Microsoft does not have to be accountable with MSIE: whether or not anyone likes it, they give it away as the default browser on just about all PC's.
Thanks! (Score:2)
The View Menu did the trick. However, "They" did remove it: it was always on in previous versions, and it was only after recent updates on my machine that I found it was gone. I have found it missing on all other MSIE installations, and others I have talked to have mentioned this unwanted change as well.
Re:Isn't Mozilla more accountable? (Score:2)
Someone said that it was a blunder in MS shipping XP. I only noticed the problem since I started using XP. The channel changer analogy is not the best: I never had to worry about this setting before, since it was always on, and no one ever messed with it until the MS guys did with the XP release.
Forgot about IIS & Apache Web Server? (Score:2, Interesting)
IIS has smaller marketshare than Apache Web Server, yet MANY more IIS vulnerabilities have been discovered and MS took a LOT longer to fix/patch IIS than Apache.
Re:IE not vulnerable (Score:5, Insightful)
It's pretty clear, judging by this and some of your former posts, that you work for Microsoft or at least enjoy spreading their nonsense FUD. Your assumptive argument--that a smaller user base means that OSS has more undiscovered bugs--is entirely illogical.
Now take Mozilla and Opera as opposing examples. The user base for these two browsers combined is infinitesimal compared to IE. It thus stands to reason that all of the bugs and vulnerabilities of these browsers lay dormant, waiting for someone to come along and exploit them. But without a serious user base hammering away at the product all of these problems lie wide open for any hacker to come along and abuse.
There you go again. You seem to miss the point entirely that having code open for review allows "hackers" to find security holes much faster and easier. So if a problem exists, it gets fixed much sooner than a closed source program which requires a lot more prodding and guesswork to discover the vulnerabilities. And yet IE still has historically had far more security issues than Mozilla.
Just because you don't use Microsoft products doesn't mean that you aren't vulnerable. You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers.
Yet another patently untrue statement. Microsoft products have a far worse history of vulnerabilities than Open Source alternatives. Again your comment about "lack of users" is irrelevant. And your statement that OSS developers lack accountability is entirely baseless.
The M$ dominated world is quickly coming to an end and there's absolutely nothing you can do about it. For your own sake, wake up before you become entirely obsolete.
Re:IE not vulnerable (Score:2)
Re:IE not vulnerable (Score:4, Insightful)
1) Many OSS developers are employed by companies (AOL/Time, RedHat, IBM, etc.) that they must be accountable to, and 2) Unlike proprietary products, when an OSS app does something wrong, people point and go "This is the schmuck that did it." There is a lot of accountability when everyone can see what you code.
And a larger codebase doesn't help much when the vast majority of that codebase does the same exact thing online. You tell me how many old ladies checking their MSN mail and ordering E-greeting cards it would take to find this vulnerability.
I'm not saying everyone using IE is dumb, or that everyone using Linux is smart. What I am saying is that thousands of users just like me wouldn't have made this problem any more visible. I would never have stumbled upon this. Moreover, I can guarantee you that many more Linux/Mozilla users are tech-savvy and fill out their bug reports compared to Windows users. Besides, it "stands to reason" that Mozilla could fix bugs faster. IE users trust a small few people to their security; if they don't fix it no one will. In the OSS world, it only takes a couple frustrated coders tired of a vulnerability to have it fixed.
We're a community, Windows users are consumers.
Re:Then (Score:2, Interesting)
Should I...
A: Take AB Meds
B: Cut it off
B?
RTFA, damnit! (Score:2, Informative)
Re:RTFA, damnit! (Score:2)
Kashif
Re:RTFA, damnit! (Score:5, Informative)
If you look at the exploit, he is setting a function to be called after a page is loaded on another page. This function is a JAVASCRIPT function which is then run in the context of the newly loaded page.
He is comparing a javascript function running outside of the javascript sandbox to a java type sandbox. Like I said, I RTFA, and I UTFA (understand).
Re:RTFA, damnit! (Score:2)
Given the flakiness of the source, and the absence of really good examples, I suspect this whole thing is bogus. It sounds like something that might work with the Java 1.0 security model, but not with the current version. Perhaps this guy noticed a change in Javascript implementations, and jumped to the conclusion that it re-opened
Seems like it (Score:3, Insightful)
Take, for example, the commentary:
There are many, many more issues than I have discussed. The minimal release is for giving the blackhats time to play.
Furthermore, the language used is like nothing I have ever seen before.
The poster states that this is a Java problem, but then states that any browser with Javascript is vulnerable to remote command execution. He/she then goes on to give an exploit which has nothing to do with either Java or remote command execution
Re:Seems like it (Score:3, Insightful)
The first exploit doesn't seem like much of an exploit either. Instead, it seems to that the script opens a popup, and then at some later time, changes its content. What is wrong with that?
Now, young grasshoppah... tell me by just starring at your screen what applications are running on your box. no 'ps' no taskmngr... Unless you are the oracle, a virus is pret
Re:Audit your code!!!11 (Score:2)
That's the spirit. Don't let words like "cross platform" and "Microsoft" (although they probably meant "windows") get in the way of a good troll.