Java security hole discovered

A group of scientists from Princeton University have discovered a newsecurity flaw in Java that allows hackers to gain unauthorized access toa computer by impersonating a "trusted" software vendor. The flaw wasfound in Sun's new Java Development

Paul Thurrott

April 28, 1997

2 Min Read
ITPro Today logo in a gray background | ITPro Today

A group of scientists from Princeton University have discovered a newsecurity flaw in Java that allows hackers to gain unauthorized access toa computer by impersonating a "trusted" software vendor. The flaw wasfound in Sun's new Java Development Kit (JDK) 1.1, which employs a digitalsignature security system similar to Microsoft's Authenticode technologyfor ActiveX controls.

"The flaw we found allows an applet to change the system's idea of who signed it," according to text on the Princeton team's Web site. "The applet can get a list of the all signers known to the local system, determine which if any of those signers is trusted, and then the applet can relabel itself so it appears to have been signed by a trusted signer. The result isthat the applet can completely evade Java's security mechanisms."

Sun's JavaSoft division announced today that they are aware of the problemand will release a bug fix for the JDK within the next 48 hours. A newrelease of the JDK, version 1.12, due in two weeks, will also fix the bug.

Marianne Mueller, a security expert at JavaSoft, said the company was notified of the problem last Tuesday and has been working on a fix since then. Why they didn't go public with this information for a week isunknown, but Sun is painfully aware of the comparisons to recent ActiveXsecurity problems, which they loudly harassed at a recent Java conference.

Netscape's Communicator and Sun's HotJava Web browsers are both potentiallysusceptible to the bug, since they use the JDK 1.1. Microsoft's Internet Explorer does not use this version of the JDK and is not affected by this latest security problem.

JavaSoft's Mueller pointed out that the chances of someone being affectedby this bug are slim. "It would be like poking in the dark," she said. "They would have to figure out a likely identity they would want to assume."

This, of course, is equally true of every bug found in ActiveX and InternetExplorer in the past month as well but that didn't stop Sun from coming down hard on Microsoft

About the Author

Paul Thurrott

Paul Thurrott is senior technical analyst for Windows IT Pro. He writes the SuperSite for Windows, a weekly editorial for Windows IT Pro UPDATE, and a daily Windows news and information newsletter called WinInfo Daily UPDATE.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like