Java Applet Trust Manager Loophole

Rohit Khare (khare@w3.org)
Tue, 29 Apr 1997 14:17:45 -0400


April 29, 1997 2:00 PM ET
Applet-signing loophole found in Java Development Kit 1.1.1
By Michael Moeller

Princeton University researchers have uncovered a security loophole in
JavaSoft's Java Development Kit 1.1.1 and HotJava browser 1.0 that gives
a rogue Java applet access to computer resources.

The security hole is related the way the latest versions of JDK and
HotJava deal with signed Java applets, which can execute outside of the
secure Java runtime environment more commonly known as the Java
"sandbox."

According to the Princeton researchers, a flaw in the code-signing
feature of JDK 1.1.1 enables a rogue applet to obtain data on all
digital signers known to the local computer system, determine which of
those signers are "trusted," and then copy or re-label itself as a
signed trusted applet.

As a result, the applet can gain access to the same local resources as a
trusted applet.

JavaSoft officials, who say they are aware of the problem, will post
information about the flaw on its Web site today. The company will ship
a patch to all Java licensees within 48 hours; a permanent fix will be
included with JDK 1.1.2, which is due by the middle of next month.

JavaSoft officials said they have no knowledge of any users or systems
affected by the loophole. The security hole will not apply to users of
Netscape Communications Corp. or Microsoft Corp. browsers, since neither
has yet to adopt the code signing API that is part of the JDK 1.1.

HotJava browser users can prevent a malicious applet from attacking
their system by using the browser's administration controls to limit or
turn off applet-signing. JavaSoft will include a fix for the browser by
the time the final version ships in June, officials said.

For more information, see JavaSoft at www.javasoft.com or the research
site at www.cs.princeton.edu/sip/News.html.