Jouko Pynnönen of Online Solutions in Finland discovered a series of severe security vulnerabilities in Microsoft's Java implementation. Some of the vulnerabilities let attackers run arbitrary code through Microsoft Internet Explorer (IE) and Outlook Express. According to a message posted to the NTBugTraq mailing list on September 9, Pynnönen discovered and reported to Microsoft as many as 10 such vulnerabilities during July and August.
Pynnönen said, "Some of these [vulnerabilities] allow file access on [users' systems], some allow access to other resources, and some allow delivery and execution of arbitrary program code on the victim system. These attacks can be carried out when a Web page or mail message containing a hostile [Java] applet is viewed with Internet Explorer or Outlook. In this case the applet [can] upload any program code and start it. The code can [perform] any operations the user can [perform, such as] read or modify files, install or remove programs, etc."
The vulnerabilities are, for the most part, related to code contained in native Java classes--called methods--but some of the vulnerabilities are related to logic errors. Typically, methods are marked as public, protected, or private. Some of the vulnerabilities stem from the security context of various methods, where various methods are improperly exposed.
Pynnönen also said, "An Applet can't contain native methods for [what should be] obvious reasons, but many of the core Java classes contain them. For instance, all file operations are eventually [performed] by native methods. They are used to [perform] operations that aren't possible or practical to do in pure Java. They may [also] be used
for speed-critical parts of the code. Native methods aren't bound by the Java security policies and can access the processor, operating system, memory, and file system. Security-wise, native methods are a weak link. Unlike ordinary Java code, they can contain traditional programming flaws [such as] buffer overflows. If an untrusted Java applet can invoke a native method [that contains] a security flaw, it may be able to escape its [security] sandbox and compromise the system."
Pynnönen said that according to his research, most of the vulnerabilities aren't found in Sun Microsystems' Java code, but instead stem from modifications that Microsoft made to the code. He tested Sun's Java plug-in for the vulnerabilities and found that none of them exist in the plug-in.
To date, Microsoft hasn't issued a patch to correct the problems, but users can protect themselves against exploits by disabling Java within IE until a patch is available. Another alternative for users who still want to use the functionality Java affords is to download Sun's Java Virtual Machine (VM) and use it instead. The VM works with Windows XP, Windows 2000, Windows NT, and Windows 9x.
In June, Microsoft said that because of a legal settlement with Sun, after January 1, 2004, the company can no longer make modifications to Sun's Java code, including security fixes. Microsoft said that due to the settlement, the company would not include Java with Windows after that date.
End of Article
Register
-Install a retail copy of Windows XP Professional on a blank hard drive.
-Go to a web page that uses some Java so you get the "you must first install the Java VM" error message.
-Go to Sun's webpage and download their Java VM.
-Return to the Java-enabled web page and notice how long it takes for the Java applet to run.
To complete the experiment, blank the hard drive and reinstall Windows XP Pro. Go back to the same Java-enabled page but install the Microsoft Java VM instead of Sun's.
Oh, you _WILL_ notice the difference in how much faster the Microsoft JVM is than the Sun JVM. Repeated this experiment three times on an Intel Pentium III - 800MHz white box PC with 640MB of SDRAM on an Abit BH6 motherboard, 32MB Matrox G400 video card and a 6GB Western Digital "Caviar" hard drive using a Linksys NIC connected directly to a cable broadband Internet provider. However, if you still don't believe that Microsoft JVM is faster than the Sun JVM you can replicate this experiment with your own system and see it with your own eyes before you make the choice.
If you're a paranoid nut that thinks Microsoft can do no right and their competitors do no wrong, install the Sun JVM.
I'll take the allegedly buggy and dangerous Microsoft JVM because I want the speed, baby!
Scott McCollum September 12, 2002