Is this a security hole?

  • Thread starter Andrew Thompson
  • Start date
A

Andrew Thompson

Now that I have your attention, I will admit it
only occurs with the MSVM.. No *please* don't
plonk this thread..

Their have been various threads recently that
reveal that people are still interested in
developing for the MSVM. I, on the other
hand, provide tools to 'detect and destroy'
the MSVM.

I am torn as to whether to encourage *any*
developers to code 'down to' the MSVM*.

The thing is, the safest build of the MSVM,
the 3810 build, will happily reveal the exact
location of the class files on disk**, the
Sun VM will not***.

( both images <20Kb )
** <http://www.physci.org/test/screenshot/clsmsvm.png>

The exact locations of all the classes
found is displayed for the user..

*** <http://www.physci.org/test/screenshot/clssunvm.png>

My applet politely, though inaccurately,
reports 'Missing' for the first two entries
(both Java core classes) of the Sun VM
display when it actually means "get the
SecurityAccessException 'outta here"..

AFAIR, the Symantec 1.1.5 JVM would not
even allow me to catch the exceptions.
The applet fails to appear.

...errr. if you have trouble with 'hotlinks' try..
<http://www.physci.org/test/screenshot/> and chase links.

I am not sure if this actually represents a
security hole, or whether it goes against any
stated spec by Sun. So, finally to my questions..

Does this ability to show the exact class
file locations represent a security hole
according to any document issued by Sun?

Does it violate the spec?

Is it (irregardless of the above two) a
security hole?

* hey.. I have nothing against 1.1/AWT,
though it is now becoming difficult to
lay your hands on suitable tools and
docs to work with 1.1.
 
Z

zoopy

Subject: Is this a security hole?

Better group for security matters is c.l.j.security...
[...]
The exact locations of all the classes
found is displayed for the user..
[...]
My applet politely, though inaccurately,
reports 'Missing' for the first two entries

Which applet? You didn't give us a URL...
Show us your code that displays the location of the classes...

Sorry, couldn't resist ;-)

Regards,
Z.
 
O

Oscar kind

Andrew Thompson said:
I am torn as to whether to encourage *any*
developers to code 'down to' the MSVM*.

Personally, I'd say "No.". But then again, I'm also the person to
encourage end users to upgrade software at least once every three
years.

The thing is, the safest build of the MSVM,
the 3810 build, will happily reveal the exact
location of the class files on disk**, the
Sun VM will not***. [...]
I am not sure if this actually represents a
security hole,

For unsigned applets, there is no danger to the system, as it can't read
or write these files. Nor any other file/directory for that matter.
In this case however, there is an information leak. Depending on your
point of view, this means there is a security hole (or not).

Signed applets and applications however, are a different matter. With
version 1.1, these have full permissions. Especially for applets, I'd say
this is a security hole.

Sources:
http://mindprod.com/jgloss/applet.html#RESTRICTIONS
http://www.michael-thomas.com/tech/java/javaadvanced/security/
 
A

Andrew Thompson

On Fri, 06 Aug 2004 11:09:39 GMT, Andrew Thompson wrote:

x-posted to c.l.j.security as these
c.l.j.programmers would not recognize
a security hole if they drove through it. ;-)
 
A

Andrew Thompson

In this case however, there is an information leak. Depending on your
point of view, this means there is a security hole (or not).

That is where my thinking is going..
Perhaps Sun was not entirely sure whether
to restrict it at 1.1, but decided later to
do so purely on the *chance* the info. could
be used for malevolent purposes.

If that is the case that would not be MS'
fault, but still is a problem (or not*).

* To be honest, I have not yet figured what
might be done with the information on where
the class files lay, short of a need to directly
'hack' them to introduce further security holes
or viruses. ....Wait a second!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,733
Messages
2,569,440
Members
44,831
Latest member
HealthSmartketoReviews

Latest Threads

Top