JAVA SECURITY - Java Web Start Security Vulnerability

ITworld.com

Java Web Start Security Vulnerability
JAVA SECURITY --- 08/09/2002

Todd Sundsted

Coming on the heels of a number of similar vulnerabilities, Jelmer Kuperus, a software developer in the Netherlands, found and published a flaw in Sun's Java Web Start software that, in conjunction with known flaws in Internet Explorer, may allow untrusted and possibly malicious code to execute on a target system.

On this topic

Get practical tips, IT news, how-tos, and the best in tech humor.

Disaster Recovery Simplified - iSCSI and VMware Site Recovery Manager Deliver Results

Data Protection and Disaster Recovery with iSCSI and VMware

Five Security Mistakes to Avoid

Death to PST - Hidden Cost of Email Mismanagement

Osterman Report: The Advantages of a Hosted Messaging Security Solution

Top 10 Ways to Protect Against Web Threats

Apple dismisses Safari download issue

IE attack code released after 'treasure hunt'

DNS trouble knocks National Security Agency off Internet

EU raises privacy issue for Google Street View

Rent-a-botnet makes cyber crime a breeze

Java Web Start (JWS) is Sun's solution to the problem of deploying applications to multiple machines over a network. With Java Web Start, users can download and execute applications from within a browser. To improve performance, application components including code and resources such as images are cached on disk once they are downloaded.

With any scheme utilizing downloaded code, security is clearly important. Java Web Start depends for its security on the familiar security infrastructure built into the Java platform. This security architecture consists of bytecode verification, security policies, permissions, and protection domains.

The published exploit depends on the fact that JWS application components are cached on disk in predictable locations. The exploit stores executable content in an innocuously named file, like "image.gif". A flaw in Internet Explorer allows this content to be executed.

Strictly speaking, this is an Internet Explorer bug that depends on questionable behavior in the Java Web Start application. It does, however, illuminate how software features are often at odds with software security. It's too bad that features sell software. The flaw also illustrates how unexpected interactions between otherwise secure applications can weaken the security of a system.

Todd Sundsted has been writing software since computers became available in desktop models. His interests include security, distributed computing, and the dynamics of massively fine-grained architectures. In addition to writing, Todd codes. Todd can be reached at Todd.Sundsted@itworld.com.

Advertisements

Sponsored links
	Bring harmony to your mix of UNIX-Linux-Windows computing environments
	KODAK i1400 Series Scanners stand up to the challenge
	Top 5 Reasons to Combine App Performance and Security
	Locate Hidden Software on business PCs with this free tool

Home


www.itworld.com open.itworld.com security.itworld.com smallbusiness.itworld.com storage.itworld.com utilitycomputing.itworld.com wireless.itworld.com
Contact Us About Us Privacy Policy Terms of Service Reprints CIO Computerworld CSO GamePro Games.net Industry Standard Infoworld ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist DEMO IDG Connect IDG Knowledge Hub IDG TechNetwork IDG World Expo Copyright © Computerworld, Inc. All rights reserved Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.