__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Java Applet Can Redirect Browser Traffic [Sun Security Bulletin #00216] [Microsoft Security Bulletin MS02-013] March 5, 2002 19:00 GMT Number M-052 [Revised 6 March 2002] ______________________________________________________________________________ PROBLEM: A vulnerability exists in Java that may allow a malicious applet to monitor requests from an HTTP proxy server. PLATFORM: Netscape 6.1, 6.0.1, and 6.0 are affected since they include an affected version of the Java Runtime Environment. The default Java runtime environments of Netscape Communicator version 4.79 and earlier are affected. All builds of the Microsoft VM up to and including the build 3802. Microsoft VM runs atop Microsoft Windows 95, 98, ME, NT 4.0, 2000 and XP. Microsoft VM ships as part of Windows 98, ME, and Windows 200 and also as part of Internet Explorer 5.5 and earlier. DAMAGE: An attacker could use this vulnerability to send a user’s Internet session to a system under his control without the user being aware. The attacker could capture and save the user’s session information thereby enabling him to execute a replay attack or to search for sensitive information such as user names or passwords. SOLUTION: Apply the appropriate patch or upgrade the required software. ______________________________________________________________________________ VULNERABILITY The risk is LOW. The vulnerability only affects configurations ASSESSMENT: that utilize a proxy server and the malicious applet must be on the system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-052.shtml ORIGINAL BULLETIN: * Sun: http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/216&type=0&nav=sec.sba * Microsoft: http://www.microsoft.com/technet/security/bulletin/MS02-013.asp ______________________________________________________________________________ [Revision 03/06/02: Sun Microsystems released bulletin] [***** Start Sun Security Bulletin #00216 *****] -----BEGIN PGP SIGNED MESSAGE----- ________________________________________________________________________________ Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00216 Date: March 4, 2002 Cross-Ref: Title: HttpURLConnection ________________________________________________________________________________ The information contained in this Security Bulletin is provided "AS IS." Sun makes no warranties of any kind whatsoever with respect to the information contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction. ________________________________________________________________________________ 1. Background A vulnerability in the Java(TM) Runtime Environment may allow an untrusted applet to monitor requests to and responses from an HTTP proxy server when a persistent connection is used between a client and an HTTP proxy server. The full and custom installations of Netscape 6.1, 6.0.1, and 6.0 are affected since they include an affected version of the Java Runtime Environment. The default Java runtime environments of Netscape(TM) Communicator version 4.79 and earlier are affected. For more information, see http://home.netscape.com/security Microsoft VM up to and including build 3802 is affected. For more information, see http://www.microsoft.com/technet/security/bulletin/MS02-013.asp This issue may or may not affect other vendors' Java technology implementations which are derived from Sun's SDK and JDK(TM) source bases. Sun has notified and made the remedy available to its Java technology licensees. Sun recommends that users of affected releases upgrade to the latest SDK, JDK, and JRE releases listed in section 3 of this bulletin. 2. Affected Releases The following releases are affected: Windows Production Releases SDK and JRE 1.3.0_02 or earlier SDK and JRE 1.2.2_010 or earlier JDK and JRE 1.1.8_007 or earlier Solaris(TM) Operating Environment (OE) Reference Releases SDK and JRE 1.2.2_010 or earlier JDK and JRE 1.1.8_007 or earlier Solaris Production Releases SDK and JRE 1.3.0_02 or earlier SDK and JRE 1.2.2_10 or earlier JDK and JRE 1.1.8_13 or earlier Linux Production Releases SDK and JRE 1.3.0_02 or earlier SDK and JRE 1.2.2_010 or earlier Releases prior to SDK and JRE 1.2.2, and JDK and JRE 1.1.8 for Windows and Solaris are also affected and should no longer be used. Users of these releases should upgrade to a later release listed in Section 3. This vulnerability does not affect the Java 2 SDK, Standard Edition, versions 1.4 and 1.3.1. 3. Latest Releases Windows Production Releases SDK and JRE 1.4 http://java.sun.com/j2se/1.4/ SDK and JRE 1.3.1_02 http://java.sun.com/j2se/1.3/ SDK and JRE 1.2.2_011 http://java.sun.com/j2se/1.2/ JDK and JRE 1.1.8_009 http://java.sun.com/products/jdk/1.1/download-jdk-windows.html Solaris OE Reference Releases SDK and JRE 1.2.2_011 http://java.sun.com/j2se/1.2/ JDK and JRE 1.1.8_009 http://java.sun.com/products/jdk/1.1/download-jdk-solaris.html Solaris OE Production Releases SDK and JRE 1.4 http://java.sun.com/j2se/1.4/ SDK and JRE 1.3.1_02 http://java.sun.com/j2se/1.3/ SDK and JRE 1.2.2_11 http://java.sun.com/j2se/1.2/ JDK and JRE 1.1.8_15 http://java.sun.com/products/jdk/1.1/download-jdk-solaris.html Linux Production Releases SDK and JRE 1.4 http://java.sun.com/j2se/1.4/ SDK and JRE 1.3.1_02 http://java.sun.com/j2se/1.3/ SDK and JRE 1.2.2_011 http://java.sun.com/j2se/1.2/ _______________________________________________________________________________ Sun acknowledges, with thanks, Harmen van der Wal for bringing this issue to our attention. _______________________________________________________________________________ APPENDICES A. Sun security bulletins are available at: http://sunsolve.sun.com/security B. Sun Security Coordination Team's PGP key is available at: http://sunsolve.sun.com/pgpkey.txt C. To report or inquire about a security problem with Sun software, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - Sun Security Coordination Team. Send email to: security-alert@sun.com D. To receive information or subscribe to our CWS (Customer Warning System) mailing list, send email to: security-alert@sun.com with a subject line (not body) containing one of the following commands: Command Information Returned/Action Taken _______ _________________________________ help An explanation of how to get information key Sun Security Coordination Team's PGP key list A list of current security topics query [topic] The email is treated as an inquiry and is forwarded to the Security Coordination Team report [topic] The email is treated as a security report and is forwarded to the Security Coordination Team. Please encrypt sensitive mail using Sun Security Coordination Team's PGP key send topic A short status summary or bulletin. For example, to retrieve a Security Bulletin #00138, supply the following in the subject line (not body): send #138 subscribe Sender is added to our mailing list. To subscribe, supply the following in the subject line (not body): subscribe cws your-email-address Note that your-email-address should be substituted by your email address. unsubscribe Sender is removed from the CWS mailing list. ________________________________________________________________________________ Copyright 2002 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, the Sun logo, Solaris, Java, and JDK are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Netscape is a trademark or registered trademark of Netscape Communications Corporation in the United States and other countries. This Security Bulletin may be reproduced and distributed, provided that this Security Bulletin is not modified in any way and is attributed to Sun Microsystems, Inc. and provided that such reproduction and distribution is performed for non-commercial purposes. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPIPtoLdzzzOFBFjJAQFWuwP9HgvRtnf8xUhKEJGjrnArnmDYMhgZd00g hy/42CYBO2/eS1NySCVlE4VBf58aF5AESaqC48jdipziTswOwuiL1GwmDOjH8Dx1 /txwiL3JdYccI+8ZvWsd+qG8Hc3YgtYv+8xEfJwrgU79eNbAMY+D7dDWT9DFj5iJ U/xq+oC+z6M= =A2CN -----END PGP SIGNATURE----- [***** End Sun Security Bulletin #00216 *****] [***** Start Microsoft Security Bulletin MS02-013 *****] Microsoft Security Bulletin MS02-013 Java Applet Can Redirect Browser Traffic Originally posted: March 04, 2002 Summary Who should read this bulletin: Customers using Microsoft® Internet Explorer® in a configuration where a proxy server is interposed between the browser and the Internet. Impact of vulnerability: Information Disclosure Maximum Severity Rating: Critical Recommendation: Customers using IE in a proxy server configuration as indicated above should immediately apply the patch. Affected Software: Versions of the Microsoft virtual machine (Microsoft VM) are identified by build numbers, which can be determined using the JVIEW tool as discussed in the FAQ. The following builds of the Microsoft VM are affected: All builds of the Microsoft VM up to and including build 3802. Technical description: The Microsoft VM is a virtual machine for the Win32® operating environment. It runs atop Microsoft Windows® 95, Microsoft Windows 98, ME, Windows NT® 4.0, Windows 2000® and Windows XP. It ships as part of Windows 98, ME, and Windows 2000 and also as part of Internet Explorer 5.5 and earlier. The version of the Microsoft VM that ships with Internet Explorer version 4.x and 5.x contains a flaw affecting how Java requests for proxy resources are handled. A malicious Java applet could exploit this flaw to re-direct web traffic once it has left the proxy server to a destination of the attacker’s choice. An attacker could use this flaw to send a user’s Internet session to a system of his own control, without the user being aware of this. The attacker could then forward the information on to the intended destination, giving the appearance that the session was behaving normally. The attacker could then send his own malicious response, making it seem to come from the intended destination, or could discard the session information, creating the impression of a denial of service. Additionally, the attacker could capture and save the user’s session information. This could enable him to execute a replay attack or to search for sensitive information such as user names or passwords. A system is only vulnerable if IE is used in conjunction with a proxy server. Users whose browsers are not behind a proxy server are not vulnerable to this vulnerability. However, those users would be vulnerable if they changed their browser to use a proxy server at a later date. Mitigating factors: The vulnerability only affects configurations that utilize a proxy server. Customers who are not using a proxy server are not at risk from this vulnerability. Best practices strongly recommend using SSL to encrypt sensitive information such as user names, passwords and credit card numbers. If this has been done, sensitive information will be protected from examination and disclosure by an attacker exploiting this vulnerability. Severity Rating: Internet Servers Intranet Servers Client Systems Microsoft VM (all versions) Moderate Moderate Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. This vulnerability affects the disclosure of personal information, and is most likely to have an impact on client systems. Vulnerability identifier: CAN-2002-0058 Tested Versions: Microsoft tested Microsoft VM builds 3167 and later, which ship with IE 5.0 and later to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch Upgrade to Microsoft VM build 3805 or later at http://www.microsoft.com/java/vm/dl_vm40.htm Additional information about this patch Installation platforms: The updated Microsoft VM can be installed on systems that don’t have a Microsoft VM already installed or that are running a previous version of the Microsoft VM. Inclusion in future service packs: The fix for this issue may be included in future service packs. Reboot needed: Yes Superseded patches: MS99-045 MS00-011 MS00-059 MS00-059 MS00-081 Verifying patch installation: After downloading and installing the updated Microsoft VM, reboot the machine and follow the instructions above for determining the build number. The Microsoft VM build number should show as version 3805 or later. Caveats: None Localization: This patch will install all language versions. Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks Harmen van der Wal for reporting this issue to us and working with us to protect customers. Support: Microsoft Knowledge Base article Q300845 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (March 04, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-013 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems, Inc. and Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability M-044: SQL Server Remote Data Source Function Contain Unchecked Buffers M-045: Microsoft Incorrect VBScript Handling in IE M-046: Red Hat "ncurses" Vulnerability M-047: Oracle PL/SQL EXTPROC Database Vulnerability M-048: Oracle 9iAS Default Configuration Vulnerability M-049: Multiple PHP Vulnerabilities M-050: Data Leak with Cisco Express Forwarding M-051: Microsoft XMLHTTP Control Vulnerability