Malicious Java code uses IE to access
By Stephen Shankland
Staff Writer, CNET News.com August 30, 1999
Researchers have created a malicious Java program that takes advantage of a security hole in Microsoft's Internet Explorer browser to get unlimited control over a Windows-based computer.
Within two days of hearing about the problem, Microsoft wrote and issued a patch to fix it, a spokeswoman for the company said.
Through the security hole, a malicious Java program called an "attack applet" could "install a virus, read your email, write a file, set up a monitoring station, turn on your microphone," said Gary McGraw, a Java security expert and co-author of the book Securing Java. "It could do anything. It's way worse" than a bug that just crashes a computer, he said.
Java is a technology created by Sun Microsystems that allows programs to be sent across a network and run on any Java-enabled computer.
The glitch was discovered by Edward Felten of the Secure Internet Programming team at Princeton University and two of his former students, Dean Wallach at Rice University and Drew Dean at Xerox PARC, McGraw said. The researchers reported the hole to Microsoft, and it hasn't been used otherwise maliciously to McGraw's knowledge.
The glitch only affected Microsoft's Java software on computers running Windows 95, 98, or NT, McGraw and Microsoft said. Netscape Web browsers and Microsoft Web browsers for Macintosh or other computers aren't affected.
"The flaw itself was pretty easy to find, but writing the exploit was kind of difficult," said McGraw, who has spoken with the discoverers of the vulnerability.
A hole in the Java sandbox Java is more than just a programming language. Designed into the technology is the ability to run software sent across computer networks, a concept known as "mobile code." For example, a Java-enabled Web browser can download and run a Java program called an "applet" from a Web site.
But with the advantages of mobile code comes a threat, too. Sun Microsystems, which invented the Java technology, tried to head off these problems in advance by restricting the types of actions that downloaded Java programs. The technique confines the applet to a harmless zone called the "sandbox."
But the new vulnerability evades that sandbox in Internet Explorer. The attack applet takes advantage of a glitch in a piece of Java software called the class loader, whose job it is to load Java software into the computer's memory, McGraw said.
The problem is made worse by the fact that the attack applet can be delivered by email, the discoverers said. "The flaw allows the creation of a malicious applet that is attached to a [Web] page, which could be delivered...by email via Outlook or other mail programs that use Microsoft's Java virtual machine," the discovers wrote on their Web site.
That means that a clever programmer could create a malicious program that propagated itself the same way as the Melissa virus, McGraw said.
Sun's Java is pretty secure technology, though problems crop up from time to time, McGraw said. "Java is head and shoulders above everything else from the perspective of mobile code, but that that doesn't mean it's perfect. Unfortunately, you have to be perfect in order to be secure," he said.
Java is still better than Microsoft's equivalent technology, ActiveX, which doesn't have a sandbox, McGraw said. ActiveX security relies on the concept of the mobile code coming from a trusted source that has "signed" the program. "The best idea is to turn [ActiveX] off and leave it off," McGraw said.