Multiple vendor Java bytecode verifier can be used to bypass Java security restrictions
| java-bytecode-verifier-bypass (10713) |  High Risk |
Description:
Multiple vendor Java implementations, including Microsoft Virtual Machine (VM), Sun Microsystems JDK, and Netscape Communicator's Java Virtual Machine, could allow a remote attacker to bypass Java security restrictions, caused by a vulnerability in the Bytecode Verifier code analysis mechanism. A remote attacker could create a Java Applet that uses malicious bytecode instructions to create new instances of objects without calling the proper initialization method from the class constructor, but would cause the Bytecode Verifier to interpret that proper initialization of all objects has occurred. An attacker could exploit this vulnerability to bypass Java security restrictions and perform malicious actions on the victim's computer, including gaining read and write access to the file system, and possibly executing arbitrary code on the victim's computer.
Platforms Affected:
- Microsoft, Internet Explorer 4.0
- Microsoft, Internet Explorer 4.0.1
- Microsoft, Internet Explorer 5.0
- Microsoft, Internet Explorer 5.01
- Microsoft, Internet Explorer 5.5
- Microsoft, Internet Explorer 6
- Microsoft, Java Virtual Machine 5.0.3805
- Netscape, Communicator 4.0
- Netscape, Communicator 4.06
- Netscape, Communicator 4.07
- Netscape, Communicator 4.08
- Netscape, Communicator 4.4
- Netscape, Communicator 4.5
- Netscape, Communicator 4.51
- Netscape, Communicator 4.6
- Netscape, Communicator 4.61
- Netscape, Communicator 4.7
- Netscape, Communicator 4.72
- Netscape, Communicator 4.73
- Netscape, Communicator 4.74
- Netscape, Communicator 4.75
- Netscape, Communicator 4.76
- Netscape, Communicator 4.77
- Netscape, Communicator 4.78
- Netscape, Communicator 4.79
- Sun, JDK
- Sun, JRE
- Sun, SDK
Remedy:
Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS03-011. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS02-069, but it was superseded by the patch released with MS03-011.
For Sun Microsystems SDK and JRE:
Upgrade to the latest version of SDK or JRE, as listed below. Refer to Sun Alert ID: 49304 for more information. See References.
SDK and JRE 1.4.1_01 or later
SDK and JRE 1.4.0_03 or later
SDK and JRE 1.3.1_06 or later
SDK and JRE 1.2.2_01 or later
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Bypass Security
References:
- BugTraq Mailing List, 2002-11-21 2:44:18, [LSD] Java and JVM security vulnerabilities at http://marc.theaimsgroup.com/?l=bugtraq&m=103798147613151&w=2.
- CIAC Information Bulletin N-026, Flaw in Microsoft VM Could Enable System Compromise at http://www.ciac.org/ciac/bulletins/n-026.shtml.
- Microsoft Security Bulletin MS02-069, Flaw in Microsoft VM Could Enable System Compromise (810030) at http://www.microsoft.com/technet/security/bulletin/ms02-069.mspx.
- Microsoft Security Bulletin MS03-011, Flaw in Microsoft VM Could Enable System Compromise (816093) at http://www.microsoft.com/technet/security/bulletin/ms03-011.mspx.
- Sun Alert ID: 49304, Java VM Allows Constructors not to Call Other Constructors at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49304&zone_32=category%3Asecurity.
- BID-6221: Microsoft Java Virtual Machine Bytecode Verifier Vulnerability
- BID-6224: Sun/Netscape Java Virtual Machine Bytecode Verifier Vulnerability
- BID-6371: Microsoft Java Virtual Machine COM Object Access Validation Vulnerability
- CVE-2002-1257: Microsoft Virtual Machine (VM) up to and including build 5.0.3805 allows remote attackers to execute arbitrary code by including a Java applet that invokes COM (Component Object Model) objects in a web site or an HTML mail.
Reported:
Nov 21, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net