Java security hole discovered

A group of scientists from Princeton University have discovered a newsecurity flaw in Java that allows hackers to gain unauthorized access toa computer by impersonating a "trusted" software vendor. The flaw wasfound in Sun's new Java Development

Paul Thurrott

April 28, 1997

2 Min Read
ITPro Today logo

A group of scientists from Princeton University have discovered a newsecurity flaw in Java that allows hackers to gain unauthorized access toa computer by impersonating a "trusted" software vendor. The flaw wasfound in Sun's new Java Development Kit (JDK) 1.1, which employs a digitalsignature security system similar to Microsoft's Authenticode technologyfor ActiveX controls.

"The flaw we found allows an applet to change the system's idea of who signed it," according to text on the Princeton team's Web site. "The applet can get a list of the all signers known to the local system, determine which if any of those signers is trusted, and then the applet can relabel itself so it appears to have been signed by a trusted signer. The result isthat the applet can completely evade Java's security mechanisms."

Sun's JavaSoft division announced today that they are aware of the problemand will release a bug fix for the JDK within the next 48 hours. A newrelease of the JDK, version 1.12, due in two weeks, will also fix the bug.

Marianne Mueller, a security expert at JavaSoft, said the company was notified of the problem last Tuesday and has been working on a fix since then. Why they didn't go public with this information for a week isunknown, but Sun is painfully aware of the comparisons to recent ActiveXsecurity problems, which they loudly harassed at a recent Java conference.

Netscape's Communicator and Sun's HotJava Web browsers are both potentiallysusceptible to the bug, since they use the JDK 1.1. Microsoft's Internet Explorer does not use this version of the JDK and is not affected by this latest security problem.

JavaSoft's Mueller pointed out that the chances of someone being affectedby this bug are slim. "It would be like poking in the dark," she said. "They would have to figure out a likely identity they would want to assume."

This, of course, is equally true of every bug found in ActiveX and InternetExplorer in the past month as well but that didn't stop Sun from coming down hard on Microsoft

About the Author(s)

Paul Thurrott

Paul Thurrott

Paul Thurrott is senior technical analyst for Windows IT Pro. He writes the SuperSite for Windows, a weekly editorial for Windows IT Pro UPDATE, and a daily Windows news and information newsletter called WinInfo Daily UPDATE.

See more from Paul Thurrott
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

cybersecurity operator or hacker works with data in dark room
IT Security
Master AI Cybersecurity: Protect and Enhance Your NetworkMaster AI Cybersecurity: Protect and Enhance Your Network
byBrien Posey
May 21, 2024
5 Min Read
business person stamping a document
IT Operations
How to Get Executive Buy-In for IT ProjectsHow to Get Executive Buy-In for IT Projects
byChristopher Tozzi
May 28, 2024
6 Min Read
yellow block stuck in between blue cog wheels
PowerShell
Using ChatGPT as a PowerShell Debugging ToolUsing ChatGPT as a PowerShell Debugging Tool
byBrien Posey
Jun 4, 2024
4 Min Read