|
California Educational Data Processing Association |
The DataBus - Vol. 36, No. 3
|
Addison Ching
If you use the Netscape Navigator browser version 2.0, you need to be aware that there is a bug in Navigator 2.0 (beta and released versions) that may compromise the security of your computer's data.
Members of CSUNet received the following e-mail message early last month from the Computer Emergency Response Team (CERT), a unit of the Defense Advanced Research Projects Agency (DARPA) that was established in 1988 to address computer security concerns of research users of the Internet.
From: [email protected], Tue, Mar 5, 1996
The CERT Coordination Center recommends installing patches from the vendors, and using the workaround described in Section III until patches can be installed. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-96.05.README.
We encourage you to check our README files regularly for updates on advisories that relate to your site.
II. Impact
Java applets can connect to arbitrary hosts on the Internet, including those presumed to be previously inaccessible, such as hosts behind a firewall. Bugs in any TCP/IP-based network service can then be exploited. In addition, services previously thought to be secure by virtue of their location behind a firewall can be attacked.
III. Solution
To fix this problem, the Applet Security Manager must be more strict in deciding which hosts an applet is allowed to connect to. The Java system needs to take note of the actual IP address that the applet truly came from (getting that numerical address from the applet's packets as the applet is being loaded), and thereafter allow the applet to connect only to that same numerical address. We urge you to obtain vendor patches as they become available. Until you can install the patches that implement the more strict applet connection restrictions, you should apply the workarounds described in each section below.
A. Netscape users
For Netscape Navigator 2.0, use the following URL to learn more about the problem and how to download and install a patch: http://home.netscape.com/newsref/std/java_security.html
Until you install the patch, disable Java using the "Security Preferences" dialog box.
B. Sun users
A patch for Sun's HotJava will be available soon.
Until you can install the patch, disable applet downloading by selecting "Options" then "Security...". In the "Enter desired security mode" menu, select the "No access" option.n addition, select the "Apply security mode to applet loading" to disable applet loading entirely, regardless of the source of the applet.
C. Both Netscape and Sun users
If you operate an HTTP proxy server, you could also disable applets by refusing to fetch Java ".class" files.
We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information.
Location of CERT PGP key: ftp://info.cert.org/pub/CERT_PGP.key
CERT Contact Information
To be added to our mailing list for CERT advisories and bulletins, send your email address to .
CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce
Copyright 1996 Carnegie Mellon University. This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.
CERT is a service mark of Carnegie Mellon University.
The holes are in the Netscape and HotJava Java Applet Security Manager's handling of JavaScript, a scripting language developed by Sun Microsystems that enables real-time interaction with displayed web pages. Features such as moving billboards and interactive games have already been developed and are available from various websites incorporating the Java enhancements.
Researchers at Princeton University discovered an implementation flaw with the Java Applet Security Manager. This discovery shows that the Domain Name Service (DNS) of your network can be subverted, allowing a Java applet to make an arbitrary network connection. This is done by confusing the correct computer names with their actual IP addresses, a process known as DNS Spoofing.
Another problem with the Security Manager, was discovered by a tenth grade student, who reported the problem to Netscape. By exploiting this problem, skilled programmers could build "rogue" web pages that can gain access to important information on a client's computer. A device known as a "cookie" is created on the client computer's hard drive and can be accessed later by the web server, potentially for unscrupulous purposes. Cookies can be designed to include account information or any other "secure" information that shouldn't be made available to anyone, especially those doing commerce on the Internet. This device allows the perpetrator to literally monitor everything you do on your computer.
Netscape supposedly fixed the bug in a subsequent beta release of Navigator but the youth was able to rewrite his script to again perform the same cookie-grabbing operation.
Netscape immediately responded to this situation by releasing a temporary fix to version 2.0, claiming that the problem only affected certain versions (Windows) of Navigator. However, the "cookie" problem has been demonstrated to affect Macintosh versions of Navigator as well, substantiated by testing performed by Warren Williams.
Netscape subsequently released version 2.01 of Navigator around the middle of March. According to information available on their website, this version fixes the security flaws with Navigator. Go to http://home.netscape.com for additional information and the updated files, available for platforms including 16- and 32-bit Windows and Macintosh. Their Security Enhancements web page (http://home.netscape.com/newsref/std/java_security.html) provides information about the JavaScript bug in Naviagtor.
CERT is a stockpile of security-related information about the Internet. Available from CERT's FTP server are guides published by the National Institute of Standards and Technology (NIST) relating to computer viruses and related threats, and the protection of information resources. Also available are all the advisories issued by CERT, vendor-initiated bulletins that deal with security problems and solutions related to the vendors' respective platforms and systems, and a Frequently Asked Questions file about the CERT Coordination Center and its work. Tech tips about anonymous FTP configurations and packet filtering can also be obtained, as well as security-related software tools. FTP to ftp://ftp.cert.org/pub/ and view the 01-README file for information about CERT and its services.
Return to April-May index