Sun investigates Java security flaw in Netscape browser

Java bug allows unsigned applets to read and dispense files from a user’s computer

August 8, 2000 — Sun Microsystems is investigating a security flaw that has popped up involving the use of Java in Netscape’s Navigator browser.

The bug, known as Brown Orifice (BO), makes use of Netscape’s Java implementation to let an unsigned Java applet read and dispense files from a user’s computer.

The issue can be prevented by disabling Java, but Sun and Netscape are still working on confirming and finding a solution for the bug.

“We take any kind of security issue very seriously and we’re working with Netscape right now to ascertain if this is a security issue,” said David Harrah, a spokesperson for Sun Microsystems. “If it is, we hope to have a patch out that’s downloadable for people to bring in as soon as possible.”

By exploiting the Java vulnerability, an outside server is capable of accessing arbitrary files on the compromised computer or browser system through file URLs, said Chris Rouland, a director of the X-Force security group at Internet Security Systems, in Atlanta.

Rouland said all versions of Netscape Navigator and Netscape Communicator versions 4.74 and earlier are defenseless when the Java applet is enabled.

Netscape, headquartered in Mountain View, Calif., is owned by Internet giant American Online, based in Dulles, Va. AOL spokesman Andrew Weinstein said the company is “evaluating” the discovered vulnerability and plans to make a patch available. However, in the interim he advises users to protect themselves by simply turning off Java altogether. The Netscape security hole will collapse once users exit the program, Weinstein said.

Netscape’s shutdown solution to the vulnerability problem is insufficient, said Rouland, because that action would greatly inhibit users’ ability to use and visit Websites. He suggested that users instead switch to another browser until the flaw is corrected, due to its seriousness.

“The fact that the code is out there published means any script kiddie can copy this and plug it into a Website infrastructure and compromise a site,” Rouland said. “We consider it a serious attack tool because the first day of any attack is information-stealing.”

If a hostile Java applet is launched from a hostile Webpage, the applet downloads a set of socket classes permitting it to create a Web server within the browser Java runtime environment. By using the socket class and taking advantage of file URLs, the exploit code can achieve access to any local files, including any network files that can be reached through file sharing from the local system, said ISS officials.

Unlike other browsers, Netscape does not provide error files when a Java applet tries to open a local file, said Elias Levy, chief technology officer at San Mateo, Calif.-based Securityfocus.com.

Despite the privacy and information protection implications, Levy said the Netscape vulnerability is somewhat limited in how much damage it can inflict on computers or how it can spread.

“You can’t really use it to hop from machine to machine,” said Levy. The intent is to entice users to access the external Web server that would access their files, Levy said.

Microsoft’s Internet Explorer and Netscape’s own Mozilla have been tested and do not feature similar browser vulnerabilities at this time, said Rouland.

Even after its release, the patch will only be a short-term solution, Weinstein said, because Netscape has plans to release Netscape 6.0 later this year. To his knowledge, the flaw is not contained within the new browser.

Source: www.infoworld.com