Re: JDK 1.1.1 Security Flaw Question?

Marianne Mueller (mrm@Eng)
Wed, 7 May 1997 10:45:26 -0700

Date: Wed, 7 May 1997 10:45:26 -0700
Message-Id: <199705071745.KAA19281@puffin.eng.sun.com>
From: Marianne Mueller <mrm@Eng>
To: cmoore@ghg.net
Subject: Re: JDK 1.1.1 Security Flaw Question?

See the explanation online - I think it is described fully
at http://java.sun.com/security/getSigners.html.

The bug is like this.
1. a signed applet comes in

2. it impersonates any other identity on your list of
identities

If you have someone marked as a trusted identity, then the signed code
can impersonate that code. It has to be signed by somebody, but the
attack works whether or not you know that somebody.

Since the browser companies don't support Class.getSigners(), there's
really not any way that you would be exposed to this unless you are
using HotJava, in which case I would advise, limit access to trusted
code using HotJava's trust management GUI, until the fixed HotJava is
out there. You can severely restrict access to signed applets, in
HotJava.

Marianne

> Date: Tue, 06 May 1997 23:26:06 +0100
> From: Carroll Moore <cmoore@ghg.net>
> Reply-To: cmoore@ghg.net
> Organization: The HAMLET Group
>
> Am I correct in assuming then that if I load code with a signature and
> that signature does NOT appear in my list of trusted signatures then
> that code can NOT exploit the flaw?
>
> Carroll Moore
>