Sun, Microsoft tackle security flaws (2000)
San Mateo, Calif. (August 8, 2000) - Sun Microsystems Inc. and Microsoft Corp. are investigating security flaws that have popped up involving the use of Java in Netscape Communications Corp.'s Navigator browser and a Trojan horse-style intrusion in Microsoft Word documents.
The Java bug, Brown Orifice (BO), makes use of Netscape's Java implementation to let an unsigned Java applet read and dispense files from a users' computer.
The issue can be prevented by disabling Java, but Sun and Netscape are still working on confirming and finding a solution for the bug.
"We take any kind of security issue very seriously and we're working with Netscape right now to ascertain if this is a security issue," said David Harrah, a spokesperson for Palo Alto, Calif.-based Sun Microsystems. "If it is, we hope to have a patch out that's downloadable for people to bring in as soon as possible."
By exploiting the Java vulnerability, an outside server is capable of accessing arbitrary files on the compromised computer or browser system through file URLs, said Chris Rouland, a director of the X-Force security group at Internet Security Systems, in Atlanta.
Rouland said all versions of Netscape Navigator and Netscape Communicator versions 4.74 and earlier are defenseless when the Java applet is enabled.
Mountain View, Calif.-based Netscape is owned by Internet giant American Online Inc., based in Dulles, Virginia. AOL spokesman Andrew Weinstein said the company is evaluating the discovered vulnerability and plans to make a patch available. However, in the interim he advises users to protect themselves by simply turning off Java altogether. The Netscape security hole will collapse once users exit the program, Weinstein said.
Netscape's shutdown solution to the vulnerability problem is lacking, said Rouland, because that action would greatly inhibit users' ability to use and visit Websites. He suggested that users instead switch to another browser until the flaw is corrected, due to its seriousness.
"The fact that the code is out there published means any script kiddie can copy this and plug it into a Website infrastructure and compromise a site," Rouland said. "We consider it a serious attack tool because the first day of any attack is information-stealing."
If a hostile Java applet is launched from a hostile Web page, the applet downloads a set of socket classes permitting it to create a Web server within the browser Java runtime environment. By using the socket class and taking advantage of file URLs, the exploit code can achieve access to any local files, including any network files that can be reached through file sharing from the local system, said ISS officials.
Unlike other browsers, Netscape does not provide error files when a Java applet tries to open a local file, said Elias Levy, chief technology officer at San Mateo, Calif.-based Securityfocus.com.
Despite the privacy and information protection implications, Levy said the Netscape vulnerability is somewhat limited in how much damage it can inflict on computers or how it can spread.
"You can't really use it to hop from machine to machine," said Levy. The intent is to entice users to access the external Web server that would access their files, Levy said.
Microsoft Internet Explorer and Mozilla.org have been tested and do not feature similar browser vulnerabilities at this time, said Rouland.
Even after its release, the patch will only be a short-term solution, Weinstein said, because Netscape has plans to release Netscape 6.0 later this year. To his knowledge, the flaw is not contained within the new browser.
The Microsoft security problem, reported by bug-finder Georgi Guninski, involves Word documents, either as email attachments or those opened through Websites, that would use the Mail Merge function of Word to open an Access database owned by the malicious user and run code on the victim's computer. Data could be exposed or the malicious user could take over the computer altogether, according to Guninski.
Microsoft was alerted to the flaw on Sunday evening and is continuing to investigate the problem, said Scott Culp, product manager for Redmond, Wash.-based Microsoft's security response team.
"The fact of the matter is, Word is used on millions of users' computers in thousands of different scenarios, some of them Internet-based, some of them intranet-based, some of them on different OSes with different service packs, and there's always the possibility that any of those variables has something to do with whether a reported vulnerability actually reproduces or not," he said.
Culp said that so far the company has found that "there are some very high hurdles that would have to be cleared in order to use this reported issue." These hurdles include visiting a malicious Website, ignoring the security prompt that pops up before a Web-hosted Word or Office document opens, and placing files from the malicious user on your computer voluntarily.
"The demo that [Guninski] sent around said 'See how this demo works, put these files on your machine, then open up a Word document,'" added Culp. "That's not a real safe practice, and the investigation so far looks like, in almost every case, you're going to have to agree to put that Access database on your local machine or network, and you're going to have to put them in a predetermined place where the malicious user wants you to put them. That's a high hurdle requiring that the victim take the malicious payload and put it on his machine first so that Word document will have something to run."
The Word bug can be avoided if a user has implemented the Office Mail security update from three months ago or the Office Document Open Confirmation (ODOC) tool, both of which create a prompt before opening Word documents from Websites. Culp said the recent Outlook security update also addresses the issue, but that the best way to avoid the whole situation is to carefully consider any files you are asked to place on your computer.
"Anytime strangers offer you candy, you really need to think about whether you want to accept it or not," he said. "If a stranger offers you a program and says 'Put this on your machine,' you really need to think a little bit about what their motivations are."
Culp said the recent spate of Microsoft security issues is partly due to having such a large number of users, which makes them an attractive target for hackers and other malicious users, as well as the fact that the company encourages people to report security flaws. However, Culp feels they were hamstrung by the reporting of this particular case.
"The responsible way to handle a security vulnerability report is to let the vendor know you believe you've found a potential vulnerability in their product so they can investigate it," explained Culp. "That wasn't done in this case, and it's really unfortunate because the result has been that customers have been unnecessarily frightened about this issue because we were given a grand total of fewer than 12 hours between the initial report of the vulnerability and the time it went public. The goal at the end of the day is to protect customers, and responsible reporting practices suggest that the right way is to give the vendor a chance to do the investigation."