Is this a security hole?

Discussion in 'Java' started by Andrew Thompson, Aug 6, 2004.

  1. Now that I have your attention, I will admit it
    only occurs with the MSVM.. No *please* don't
    plonk this thread..

    Their have been various threads recently that
    reveal that people are still interested in
    developing for the MSVM. I, on the other
    hand, provide tools to 'detect and destroy'
    the MSVM.

    I am torn as to whether to encourage *any*
    developers to code 'down to' the MSVM*.

    The thing is, the safest build of the MSVM,
    the 3810 build, will happily reveal the exact
    location of the class files on disk**, the
    Sun VM will not***.

    ( both images <20Kb )
    ** <http://www.physci.org/test/screenshot/clsmsvm.png>

    The exact locations of all the classes
    found is displayed for the user..

    *** <http://www.physci.org/test/screenshot/clssunvm.png>

    My applet politely, though inaccurately,
    reports 'Missing' for the first two entries
    (both Java core classes) of the Sun VM
    display when it actually means "get the
    SecurityAccessException 'outta here"..

    AFAIR, the Symantec 1.1.5 JVM would not
    even allow me to catch the exceptions.
    The applet fails to appear.

    ...errr. if you have trouble with 'hotlinks' try..
    <http://www.physci.org/test/screenshot/> and chase links.

    I am not sure if this actually represents a
    security hole, or whether it goes against any
    stated spec by Sun. So, finally to my questions..

    Does this ability to show the exact class
    file locations represent a security hole
    according to any document issued by Sun?

    Does it violate the spec?

    Is it (irregardless of the above two) a
    security hole?

    * hey.. I have nothing against 1.1/AWT,
    though it is now becoming difficult to
    lay your hands on suitable tools and
    docs to work with 1.1.

    --
    Andrew Thompson
    http://www.PhySci.org/ Open-source software suite
    http://www.PhySci.org/codes/ Web & IT Help
    http://www.1point1C.org/ Science & Technology
     
    Andrew Thompson, Aug 6, 2004
    #1
    1. Advertising

  2. Andrew Thompson

    zoopy Guest

    On 6-8-2004 13:09, Andrew Thompson wrote:

    > Subject: Is this a security hole?


    Better group for security matters is c.l.j.security...
    <http://www.physci.org/codes/javafaq.jsp#cljse>

    > [...]
    > The exact locations of all the classes
    > found is displayed for the user..
    > [...]
    > My applet politely, though inaccurately,
    > reports 'Missing' for the first two entries


    Which applet? You didn't give us a URL...
    Show us your code that displays the location of the classes...
    <http://www.physci.org/codes/sscce.jsp>

    > [...]


    Sorry, couldn't resist ;-)

    Regards,
    Z.
     
    zoopy, Aug 6, 2004
    #2
    1. Advertising

  3. Andrew Thompson

    xarax Guest

    "Andrew Thompson" <> wrote in message
    news:2dlbobr1k406.730wlgzafoui$...
    > Now that I have your attention, I will admit it
    > only occurs with the MSVM.. No *please* don't
    > plonk this thread..

    /snip/

    plonk
     
    xarax, Aug 6, 2004
    #3
  4. Andrew Thompson

    Oscar kind Guest

    Andrew Thompson <> wrote:
    > I am torn as to whether to encourage *any*
    > developers to code 'down to' the MSVM*.


    Personally, I'd say "No.". But then again, I'm also the person to
    encourage end users to upgrade software at least once every three
    years.


    > The thing is, the safest build of the MSVM,
    > the 3810 build, will happily reveal the exact
    > location of the class files on disk**, the
    > Sun VM will not***.

    [...]
    > I am not sure if this actually represents a
    > security hole,


    For unsigned applets, there is no danger to the system, as it can't read
    or write these files. Nor any other file/directory for that matter.
    In this case however, there is an information leak. Depending on your
    point of view, this means there is a security hole (or not).

    Signed applets and applications however, are a different matter. With
    version 1.1, these have full permissions. Especially for applets, I'd say
    this is a security hole.

    Sources:
    http://mindprod.com/jgloss/applet.html#RESTRICTIONS
    http://www.michael-thomas.com/tech/java/javaadvanced/security/


    --
    Oscar Kind http://home.hccnet.nl/okind/
    Software Developer for contact information, see website

    PGP Key fingerprint: 91F3 6C72 F465 5E98 C246 61D9 2C32 8E24 097B B4E2
     
    Oscar kind, Aug 6, 2004
    #4
  5. On Fri, 06 Aug 2004 15:15:54 +0200, zoopy wrote:

    >> Subject: Is this a security hole?

    >
    > Better group for security matters is c.l.j.security...
    > <http://www.physci.org/codes/javafaq.jsp#cljse>


    Good point. I'll cross-post!

    Go on, give that other link,
    you know you want to.. ;-)

    --
    Andrew Thompson
    http://www.PhySci.org/ Open-source software suite
    http://www.PhySci.org/codes/ Web & IT Help
    http://www.1point1C.org/ Science & Technology
     
    Andrew Thompson, Aug 6, 2004
    #5
  6. On Fri, 06 Aug 2004 11:09:39 GMT, Andrew Thompson wrote:

    x-posted to c.l.j.security as these
    c.l.j.programmers would not recognize
    a security hole if they drove through it. ;-)

    > Now that I have your attention, I will admit it
    > only occurs with the MSVM.. No *please* don't
    > plonk this thread..
    >
    > Their have been various threads recently that
    > reveal that people are still interested in
    > developing for the MSVM. I, on the other
    > hand, provide tools to 'detect and destroy'
    > the MSVM.
    >
    > I am torn as to whether to encourage *any*
    > developers to code 'down to' the MSVM*.
    >
    > The thing is, the safest build of the MSVM,
    > the 3810 build, will happily reveal the exact
    > location of the class files on disk**, the
    > Sun VM will not***.
    >
    > ( both images <20Kb )
    > ** <http://www.physci.org/test/screenshot/clsmsvm.png>
    >
    > The exact locations of all the classes
    > found is displayed for the user..
    >
    > *** <http://www.physci.org/test/screenshot/clssunvm.png>
    >
    > My applet politely, though inaccurately,
    > reports 'Missing' for the first two entries
    > (both Java core classes) of the Sun VM
    > display when it actually means "get the
    > SecurityAccessException 'outta here"..
    >
    > AFAIR, the Symantec 1.1.5 JVM would not
    > even allow me to catch the exceptions.
    > The applet fails to appear.
    >
    > ..errr. if you have trouble with 'hotlinks' try..
    > <http://www.physci.org/test/screenshot/> and chase links.
    >
    > I am not sure if this actually represents a
    > security hole, or whether it goes against any
    > stated spec by Sun. So, finally to my questions..
    >
    > Does this ability to show the exact class
    > file locations represent a security hole
    > according to any document issued by Sun?
    >
    > Does it violate the spec?
    >
    > Is it (irregardless of the above two) a
    > security hole?
    >
    > * hey.. I have nothing against 1.1/AWT,
    > though it is now becoming difficult to
    > lay your hands on suitable tools and
    > docs to work with 1.1.


    --
    Andrew Thompson
    http://www.PhySci.org/ Open-source software suite
    http://www.PhySci.org/codes/ Web & IT Help
    http://www.1point1C.org/ Science & Technology
     
    Andrew Thompson, Aug 6, 2004
    #6
  7. Andrew Thompson

    zoopy Guest

    On 6-8-2004 17:50, Andrew Thompson wrote:

    > On Fri, 06 Aug 2004 15:15:54 +0200, zoopy wrote:
    >
    >
    >>>Subject: Is this a security hole?

    >>
    >>Better group for security matters is c.l.j.security...
    >><http://www.physci.org/codes/javafaq.jsp#cljse>

    >
    >
    > Good point. I'll cross-post!
    >
    > Go on, give that other link,
    > you know you want to.. ;-)
    >

    Only if you'd multi-post ;-)

    Regards,
    Z.
     
    zoopy, Aug 6, 2004
    #7
  8. On Fri, 6 Aug 2004 17:33:34 +0200, Oscar kind wrote:

    > In this case however, there is an information leak. Depending on your
    > point of view, this means there is a security hole (or not).


    That is where my thinking is going..
    Perhaps Sun was not entirely sure whether
    to restrict it at 1.1, but decided later to
    do so purely on the *chance* the info. could
    be used for malevolent purposes.

    If that is the case that would not be MS'
    fault, but still is a problem (or not*).

    * To be honest, I have not yet figured what
    might be done with the information on where
    the class files lay, short of a need to directly
    'hack' them to introduce further security holes
    or viruses. ....Wait a second!

    --
    Andrew Thompson
    http://www.PhySci.org/ Open-source software suite
    http://www.PhySci.org/codes/ Web & IT Help
    http://www.1point1C.org/ Science & Technology
     
    Andrew Thompson, Aug 6, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. LL

    Security hole?

    LL, Oct 21, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    543
    Jerry III
    Oct 23, 2003
  2. nicholas
    Replies:
    3
    Views:
    878
    nicholas
    Oct 4, 2004
  3. Patrick Olurotimi Ige

    Huge security hole in .NET: Java creator

    Patrick Olurotimi Ige, Feb 7, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    363
    Kevin Spencer
    Feb 7, 2005
  4. Blair P. Houghton
    Replies:
    19
    Views:
    529
    Blair P. Houghton
    Feb 2, 2006
  5. Chuck
    Replies:
    3
    Views:
    536
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=
    Feb 8, 2007
Loading...

Share This Page