April 1997:
We found a serious security flaw in version 1.1.1 of the Java Development
Kit (JDK) and version 1.0 of the HotJava browser, both from Sun.
These systems allow digitally signed applets. If an applet's
signer is labelled as trusted by the local system, then the applet is not
subject to the normal security restrictions. The flaw we found allows an
applet to change the system's idea of who signed it. The applet can get a
list of the all signers known to the local system, determine which if any of
those signers is trusted, and then the applet can relabel itself so it
appears to have been
signed by a trusted signer. The result is that the applet can completely
evade Java's security mechanisms.
JavaSoft says that the flaw will be fixed in the next release (1.1.2) of the
JDK. The Netscape and Microsoft browsers are not affected, since they do not
currently support the JDK 1.1 code-signing API.
More details will appear here once the flaw has been fixed.
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01