Java Virus Jumps Out of Sandbox Vulnerability in JVM Gives Hackers Way into Machine Jim Wagner
Security researchers are calling attention to what they called a "fairly significant" vulnerability in Sun Microsystems' Java virtual machine (define) that gives crackers (define) access to a user's files.
According to iDefense, the vulnerability targets the internal packages within Sun's JVM on certain versions of Java 2, Standard Edition (J2SE) 1.4.2 running on the Unix and Windows platform with Internet Explorer (IE), Mozilla and Firefox. The JVM (define) allows Java code to run on any platform, regardless of the operating system.
With the JVM breached, the attacker has access to the user's network and gives them privileges to access, download, upload, or execute files within the user's PC or workstation.
Officials at the security outfit confirmed its existence on J2SE 1.4.2_01 and J2SE 1.4.2_04, and suspect it resides in other builds of the Java technology as well. Sun was notified of the exploit June 29 and issued an update to the affected software with build 6, published on the Sun Web site Oct. 11.
According to Michael Sutton, iDefense director, what makes this vulnerability stand out is Java's otherwise secure method of preventing Java applets from accessing local data without permission, contained in what's called the sandbox. For a Javascript to access these private JVM packages, a user would normally have to sign an online certificate saying they trust the information coming from the issuer before it could execute.
"It's a flaw in the way Javascript interacts with the Java applets, the way it calls them," he said. "Normally, you should not be able to access anything outside the sandbox and this vulnerability allows you to do so. The exploit itself is pretty trivial, it's not very detailed, it's just a flaw in the implementation."
While iDefense experts say the target user must be running a browser on top of the JVM for the exploit to happen, it's possible to create a
cross-platform, cross-browser exploit that would give the attacker the same privileges as the victim.
Users can download the latest version of the J2SE Java Runtime Environment (JRE) 1.4.2 here. A complete list of bugfixes in build 6 can be found here.
A workaround to the vulnerability is to either disable Java or Javascript, or use a third-party vendor's virtual machine (VM), like the Microsoft VM.
A spokesman for Sun was not immediately reachable.
