A group of scientists from Princeton University have discovered a new security flaw in Java that allows hackers to gain unauthorized access to a computer by impersonating a "trusted" software vendor. The flaw was found in Sun's new Java Development Kit (JDK) 1.1, which employs a digital signature security system similar to Microsoft's Authenticode technology for ActiveX controls.
"The flaw we found allows an applet to change the system's idea of who signed it," according to text on the Princeton team's Web site. "The applet can get a list of the all signers known to the local system, determine which if any of those signers is trusted, and then the applet can relabel itself so it appears to have been signed by a trusted signer. The result is that the applet can completely evade Java's security mechanisms."
Sun's JavaSoft division announced today that they are aware of the problem and will release a bug fix for the JDK within the next 48 hours. A new release of the JDK, version 1.12, due in two weeks, will also fix the bug.
Marianne Mueller, a security expert at JavaSoft, said the company was notified of the problem last Tuesday and has been working on a fix since then. Why they didn't go public with this information for a week is unknown, but Sun is painfully aware of the comparisons to recent ActiveX security problems, which they loudly harassed at a recent Java conference.
Netscape's Communicator and Sun's HotJava Web browsers are both potentially susceptible to the bug, since they use the JDK 1.1. Microsoft's Internet Explorer does not use this version of the JDK and is not affected by this latest security problem.
JavaSoft's Mueller pointed out that the chances of someone being affected by this bug are slim. "It would be like poking in the dark," she said. "They would have to figure out a likely identity they would want to assume."
This, of course, is equally true of every bug found in ActiveX and Internet Explorer in the past month as well but that didn't stop Sun from coming down hard on Microsoft