November 23, 2004 12:43 PM PST

Java flaw could lead to Windows, Linux attacks

A flaw in Sun Microsystems' plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs.

The vulnerability, found by Finnish security researcher Jouko Pynnonen in April, was patched last month by Sun, but its details were not made public until Tuesday. Security information provider Secunia posted information about the flaw in an advisory that rated it a "highly critical" threat.

The Java plug-in enables small Web programs, known as applets, to run safely on a user's computer. But the security flaw allows a malicious Web site accessed through a victim's browser to bypass those protections.

"It allows execution of attacker-supplied code without user interaction (apart from viewing a Web page) which usually means a 'critical' classification," Pynonnen stated in an e-mail interview with CNET News.com.

"The same exploit could also be used against various operating systems and browsers, which makes it more serious," he added. The vulnerability can be used to attack systems running on Windows or Linux, for example, and using major browser software such as Microsoft's Internet Explorer and Firefox--meaning a large number of systems are vulnerable to attack.

An attacker could use the flaw to do anything the victim normally could, including browse, modify or run files, upload more programs to the victim's system, or send out data from the system, Pynnonen wrote in an advisory dated Tuesday.

While the major browsers have had to deal with a significant number of security issues, the flaw is a rare black eye for the security of Sun's Java technology. Java is designed to be able to run programs downloaded from the Internet on various operating systems safely, without danger to a PC. The "sandbox" that cordons off Java applets from the rest of the system has typically worked well.

However, the flaw allows small snippets of Web code, known as Javascript, to execute functions of Java that were never meant to be run by external programs.

Last week, while announcing details of Sun's forthcoming Solaris 10 operating system, President Jonathan Schwartz noted that Java hasn't been afflicted by a single Java virus.

However, the new security hole could allow a virus to use the Java plug-in to invade PC systems. In October, a flaw in the Java plug-in for cell phones raised the specter that a malicious program disguised as a helpful application could attack a phone's software, if run by a user.

Like the recent iFrame vulnerability in Microsoft's Internet Explorer, the Java flaw could allow a malicious Web site to download and execute a program that would compromise a visitor's PC.

"It could be easily used for spreading viruses or other malware," Pynnonen said in the e-mail. "The exploit itself can't be easily embedded in e-mail, because Java applets contained in e-mail aren't normally started automatically. However an e-mail message could contain a link to a Web page which has the exploit."

While Sun would not speculate on how the flaw could be used by attackers, the company did say that it worked hard to distribute the patch for it to all users.

"We took this very seriously, and we have gone the extra mile to post these patches," a Sun representative said on Tuesday.

The advisories from Sun, Secunia and Pynnonen do not address whether the problem could affect Apple Computer's Mac OS X operating system, which is based on a Unix-like core of code, similar to Linux. The Sun representative said that the Mac issue is being investigated.

Apple Computer was not immediately available for comment.

CNET News.com's Stephen Shankland contributed to this report.

18 comments

Join the conversation!
Add your comment
cross-platform vulnerabilities
More evidence that the underlying architecure of any OS is vulnerable to flaws in cross-platform application architectures involving some type of virtual machine. I would expect the same type of problems when [IF] anybody ever finished porting .NET to Linux.
Posted by David Arbogast (1709 comments )
Reply Link Flag
The difference being
The difference being that at least in Linux, a rogue process would have to intentionally be given root level access and the password by the user in order for it to do any real damage.

So Linux has 3 tiers of security in its design for the malicious program to have to worm its way around, Java VM security, browser security, then access Linux root with the password or an OS vulnerability. It would require significant time, effort and the use of multiple exploits to use this vulnerability in any damaging way. In Windows, however, once the Java VM is compromised, browser level access is achieved, since the browser is tied directly to the core OS, once outside the VM the attacker has complete control.

Your right, when dealing with cross-platform software a single vulnerability can effect multiple OS's. The difference is in how much access the compromised software can give the attacker. In almost all OS's its very little because they have layered security specifically for this reason. Windows still has a long ways to go to prevent a minor security issue from being a completely compromised system though.

Windows still takes the hardened boarder approach to security.. they make it difficult to access the system, but once the first layer is bypassed, theres nothing else in the way.. you have complete control.

Networks tried that back in the 90's they soon realized it didnt work and layered approach was necessary.. Microsoft doesnt seem to understand that and inist on using a 15 year old flawed design.
Posted by Fray9 (547 comments )
Link Flag
So where's the patch??
OK, I am adequately alarmed now. So where's the "patch" which Sun says they are working to distribute? Your link to <a class="jive-link-external" href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1" target="_newWindow">http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1</a> goes to a page at Sun *discussing* the problem, but the page provides no obvious link to any patch or replacement for the JVM (only a link to J2SE).

So--can you please provide the buckets so we can put out the fire? thanks!
Posted by mcwong2000 (7 comments )
Reply Link Flag
Once again, CNET demonstrates its bias...
By letting this story fall off the front page within several hours of its posting while keeping even the most ridiculous MS security "holes" on the front page for days, CNET once again demonstrates its bias.

Great job, guys! I'm sure that people running Java don't care much about security warnings!
Posted by (127 comments )
Reply Link Flag
Or
I dont know about Cnets bias but yours is in plain sight.

But thats not the reason for my posting, rather I wanted to point out that the front page stories linger or die based on how much traffic they get. Microsoft vulns being important to 90% of the population means many people will read it, while java vm security issues are only of real interest to those who use it (and know what it is).

Its not a conspiracy, Im told the Cnet website is maintained by a script, no human to my knowledge has anything to do with how long a story stays on the front page.
Posted by Fray9 (547 comments )
Link Flag
Great job
<a class="jive-link-external" href="http://www.analogstereo.com/acura_tl_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/acura_tl_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Sun has a patch for Java, or is it a shroud?
"We took this very seriously, and we have gone the extra mile to post these patches," So proclaims a Sun spokesman.

Had Sun admitted their product was NOT secure ten weeks ago, the exploit of that flaw would not have done fatal damage to my small business.

My business is computer based manufacture. No network means no business, so security and integrity of our network is critical. No computer games allowed, no software installed without an OK.
We locked the front door with thousands of dollars in security software and training, Sun left the loading dock open at no charge.

Unable to use our seven PC network for over eight weeks because we couldn't call it secure, it took four hundred man hours of painstaking detective work to determine how we where being reinfected within hours after complete network reformats and restarts. Every CD, disk, flash card and tape, holding 20 years of diagnostic software, useless because it could not be certified clean in the light of the new infection.

Sun Java is not a requirement to do business, but security is. Did they think we would feel better if we just didn't know we where exposed?

This ongoing exploit fits no other vector than the Sun Java flaw, and a patch now does no good for a system already infected.
Of those I've contacted so far, infection seems to be running at 100%. I can't begin to imagine the final dollar cost avoided by the two word command "uninstall Java" used six months ago.

Sun knew it was giving us a virus, and now seems to want praise for finding a cure today. Sadly, the patient is already dead, and won't be buying any Sun product again.
Posted by (1 comment )
Reply Link Flag
NO HELP FROM SUN
sun refuses to help with java related issues "its a free download, we are not responsible for any problems, we do not offer tech support"
Posted by disco-legend-zeke (448 comments )
Link Flag
diagnostic software
<a class="jive-link-external" href="http://www.analogstereo.com/acura_cl_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/acura_cl_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.