Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Is this a security hole?

Reply
Thread Tools

Is this a security hole?

 
 
Andrew Thompson
Guest
Posts: n/a
 
      08-06-2004
Now that I have your attention, I will admit it
only occurs with the MSVM.. No *please* don't
plonk this thread..

Their have been various threads recently that
reveal that people are still interested in
developing for the MSVM. I, on the other
hand, provide tools to 'detect and destroy'
the MSVM.

I am torn as to whether to encourage *any*
developers to code 'down to' the MSVM*.

The thing is, the safest build of the MSVM,
the 3810 build, will happily reveal the exact
location of the class files on disk**, the
Sun VM will not***.

( both images <20Kb )
** <http://www.physci.org/test/screenshot/clsmsvm.png>

The exact locations of all the classes
found is displayed for the user..

*** <http://www.physci.org/test/screenshot/clssunvm.png>

My applet politely, though inaccurately,
reports 'Missing' for the first two entries
(both Java core classes) of the Sun VM
display when it actually means "get the
SecurityAccessException 'outta here"..

AFAIR, the Symantec 1.1.5 JVM would not
even allow me to catch the exceptions.
The applet fails to appear.

...errr. if you have trouble with 'hotlinks' try..
<http://www.physci.org/test/screenshot/> and chase links.

I am not sure if this actually represents a
security hole, or whether it goes against any
stated spec by Sun. So, finally to my questions..

Does this ability to show the exact class
file locations represent a security hole
according to any document issued by Sun?

Does it violate the spec?

Is it (irregardless of the above two) a
security hole?

* hey.. I have nothing against 1.1/AWT,
though it is now becoming difficult to
lay your hands on suitable tools and
docs to work with 1.1.

--
Andrew Thompson
http://www.PhySci.org/ Open-source software suite
http://www.PhySci.org/codes/ Web & IT Help
http://www.1point1C.org/ Science & Technology
 
Reply With Quote
 
 
 
 
zoopy
Guest
Posts: n/a
 
      08-06-2004
On 6-8-2004 13:09, Andrew Thompson wrote:

> Subject: Is this a security hole?


Better group for security matters is c.l.j.security...
<http://www.physci.org/codes/javafaq.jsp#cljse>

> [...]
> The exact locations of all the classes
> found is displayed for the user..
> [...]
> My applet politely, though inaccurately,
> reports 'Missing' for the first two entries


Which applet? You didn't give us a URL...
Show us your code that displays the location of the classes...
<http://www.physci.org/codes/sscce.jsp>

> [...]


Sorry, couldn't resist

Regards,
Z.
 
Reply With Quote
 
 
 
 
xarax
Guest
Posts: n/a
 
      08-06-2004
"Andrew Thompson" <(E-Mail Removed)> wrote in message
news:2dlbobr1k406.730wlgzafoui$(E-Mail Removed)...
> Now that I have your attention, I will admit it
> only occurs with the MSVM.. No *please* don't
> plonk this thread..

/snip/

plonk


 
Reply With Quote
 
Oscar kind
Guest
Posts: n/a
 
      08-06-2004
Andrew Thompson <(E-Mail Removed)> wrote:
> I am torn as to whether to encourage *any*
> developers to code 'down to' the MSVM*.


Personally, I'd say "No.". But then again, I'm also the person to
encourage end users to upgrade software at least once every three
years.


> The thing is, the safest build of the MSVM,
> the 3810 build, will happily reveal the exact
> location of the class files on disk**, the
> Sun VM will not***.

[...]
> I am not sure if this actually represents a
> security hole,


For unsigned applets, there is no danger to the system, as it can't read
or write these files. Nor any other file/directory for that matter.
In this case however, there is an information leak. Depending on your
point of view, this means there is a security hole (or not).

Signed applets and applications however, are a different matter. With
version 1.1, these have full permissions. Especially for applets, I'd say
this is a security hole.

Sources:
http://mindprod.com/jgloss/applet.html#RESTRICTIONS
http://www.michael-thomas.com/tech/j...nced/security/


--
Oscar Kind http://home.hccnet.nl/okind/
Software Developer for contact information, see website

PGP Key fingerprint: 91F3 6C72 F465 5E98 C246 61D9 2C32 8E24 097B B4E2
 
Reply With Quote
 
Andrew Thompson
Guest
Posts: n/a
 
      08-06-2004
On Fri, 06 Aug 2004 15:15:54 +0200, zoopy wrote:

>> Subject: Is this a security hole?

>
> Better group for security matters is c.l.j.security...
> <http://www.physci.org/codes/javafaq.jsp#cljse>


Good point. I'll cross-post!

Go on, give that other link,
you know you want to..

--
Andrew Thompson
http://www.PhySci.org/ Open-source software suite
http://www.PhySci.org/codes/ Web & IT Help
http://www.1point1C.org/ Science & Technology
 
Reply With Quote
 
Andrew Thompson
Guest
Posts: n/a
 
      08-06-2004
On Fri, 06 Aug 2004 11:09:39 GMT, Andrew Thompson wrote:

x-posted to c.l.j.security as these
c.l.j.programmers would not recognize
a security hole if they drove through it.

> Now that I have your attention, I will admit it
> only occurs with the MSVM.. No *please* don't
> plonk this thread..
>
> Their have been various threads recently that
> reveal that people are still interested in
> developing for the MSVM. I, on the other
> hand, provide tools to 'detect and destroy'
> the MSVM.
>
> I am torn as to whether to encourage *any*
> developers to code 'down to' the MSVM*.
>
> The thing is, the safest build of the MSVM,
> the 3810 build, will happily reveal the exact
> location of the class files on disk**, the
> Sun VM will not***.
>
> ( both images <20Kb )
> ** <http://www.physci.org/test/screenshot/clsmsvm.png>
>
> The exact locations of all the classes
> found is displayed for the user..
>
> *** <http://www.physci.org/test/screenshot/clssunvm.png>
>
> My applet politely, though inaccurately,
> reports 'Missing' for the first two entries
> (both Java core classes) of the Sun VM
> display when it actually means "get the
> SecurityAccessException 'outta here"..
>
> AFAIR, the Symantec 1.1.5 JVM would not
> even allow me to catch the exceptions.
> The applet fails to appear.
>
> ..errr. if you have trouble with 'hotlinks' try..
> <http://www.physci.org/test/screenshot/> and chase links.
>
> I am not sure if this actually represents a
> security hole, or whether it goes against any
> stated spec by Sun. So, finally to my questions..
>
> Does this ability to show the exact class
> file locations represent a security hole
> according to any document issued by Sun?
>
> Does it violate the spec?
>
> Is it (irregardless of the above two) a
> security hole?
>
> * hey.. I have nothing against 1.1/AWT,
> though it is now becoming difficult to
> lay your hands on suitable tools and
> docs to work with 1.1.


--
Andrew Thompson
http://www.PhySci.org/ Open-source software suite
http://www.PhySci.org/codes/ Web & IT Help
http://www.1point1C.org/ Science & Technology
 
Reply With Quote
 
zoopy
Guest
Posts: n/a
 
      08-06-2004
On 6-8-2004 17:50, Andrew Thompson wrote:

> On Fri, 06 Aug 2004 15:15:54 +0200, zoopy wrote:
>
>
>>>Subject: Is this a security hole?

>>
>>Better group for security matters is c.l.j.security...
>><http://www.physci.org/codes/javafaq.jsp#cljse>

>
>
> Good point. I'll cross-post!
>
> Go on, give that other link,
> you know you want to..
>

Only if you'd multi-post

Regards,
Z.
 
Reply With Quote
 
Andrew Thompson
Guest
Posts: n/a
 
      08-06-2004
On Fri, 6 Aug 2004 17:33:34 +0200, Oscar kind wrote:

> In this case however, there is an information leak. Depending on your
> point of view, this means there is a security hole (or not).


That is where my thinking is going..
Perhaps Sun was not entirely sure whether
to restrict it at 1.1, but decided later to
do so purely on the *chance* the info. could
be used for malevolent purposes.

If that is the case that would not be MS'
fault, but still is a problem (or not*).

* To be honest, I have not yet figured what
might be done with the information on where
the class files lay, short of a need to directly
'hack' them to introduce further security holes
or viruses. ....Wait a second!

--
Andrew Thompson
http://www.PhySci.org/ Open-source software suite
http://www.PhySci.org/codes/ Web & IT Help
http://www.1point1C.org/ Science & Technology
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Accessing higher security level from higher security level nderose@gmail.com Cisco 0 07-11-2005 10:20 PM
Going from higher security level interface to lower security interface- HELP!!! - AM Cisco 4 12-28-2004 09:52 PM
IT-Security, Security, e-security COMSOLIT Messmer Computer Support 0 09-05-2003 08:34 AM
How secure is the security from my security form? Aaron Java 1 08-04-2003 06:16 PM
MCSA: Security MCSE: Security question Rick Sears MCSE 0 07-29-2003 08:02 PM



Advertisments