Holes in the Java sandbox

Richard M. Smith (rms@pharlap.com)
Wed, 11 Feb 1998 22:21:17 -0500

Message-Id: <Version.32.19980211221232.00dcdec0@mail.pharlap.com>
Date: Wed, 11 Feb 1998 22:21:17 -0500
To: java-security@web1.javasoft.com
From: "Richard M. Smith" <rms@pharlap.com>
Subject: Holes in the Java sandbox

Hello,

I just read the Sun white paper on Java security at=20
<http://www.javasoft.com/marketing/collateral/security.html>http://www.java
soft.com/marketing/collateral/security.html

The following paragraph appears in the paper:

The Java Sandbox

Java allows users to download and execute untrusted applications=20
without undue risk by restricting such code to its own sandbox. Applets=
=20
may wreak havoc in their own sandbox, but they cannot disrupt or affect=
=20
any other sandboxes. Furthermore, restrictions may be placed on what=20
the application can do within their own sandboxes. Thus, the jvm can=
allow=20
untrusted applications to execute in a trusted environment, without fear=
=20
of corruption or subterfuge.=20

Attached is a Usent message from myself describing a situation in which
a hostile Java applet deliveried in an Email message corrupted Eudora.

My question: What happened to the Java sandbox? Why did it fail?

Richard

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I have been doing some research on security problems
with Email and found a Java applet that can corrupt the
Eudora 4 Email reader.=A0 Once Eudora 4 has been corrupted,
it can no longer read Email because the program continually
crashes on start-up.=A0 The worse part of the problem is
the applet is sent in an Email message and is automatically
executed by Eudora when the Email message is read.

I found the hostile Java applet that crashes Windows 95
using AltaVista.=A0 A demo page for the applet can be found at:

=A0=A0=A0=A0=A0
<http://users.tmok.com/~dr_bulge/smt1/>http://users.tmok.com/~dr_bulge/smt1/

On the Web page there is no description of how the
applet operates.=A0 I assume that it grabs system resources
until Windows 95 can't run anymore.

On my system the applet crashes both the IE4 JVM and
the Netscape 4.02 JVM.=A0 The applet takes about 20 to 30
to take down Windows 95.=A0 At first nothing seems out of
the ordinary.=A0 Then the hard disk goes crazy with disk
seeks.=A0 CTRL/ALT/DEL doesn't seem to work and about
10 seconds later the entire system locks up.

As an experiment, I mailed the HTML demo page to myself.
I read Email with Eudora 4 which uses IE4 under the=20
covers to display HTML Email messages.=A0=20

Sure enough when I read the message in Eudora, the Java
applet ran and my system died again.

I then rebooted and restarted Eudora.=A0 I wanted to delete
the message, but I accidentally double-clicked and ended
up reading the message again.=A0 I quickly tried to
exit Eudora to avoid a reboot.=A0 However the Java
applet had already started running again.=A0 So I was
forced to reboot anyway

Unfortunately, when I tried running Eudora for the third
time, it died with a page fault during start-up.=A0=A0 I
tried running it two more times with the same page fault.
The Java applet had somehow corrupted Eudora and
made it not runnable.

I started doing some detective work to see what was wrong.
At first I thought that my In box files were corrupted
but they seemed to be okay.=A0 With a little more playing
around I discovered that the EUDORA.INI file was bad and=20
some setting in it was causing Eudora to page fault.

I deleted the EUDORA.INI file and reconfigured Eudora
and now everything is working again.

It sure seems to me that Java is not anywhere
near as safe as Sun is claiming it to be.=A0 Worse
yet, now that many Email readers are going to
HTML, hostile Java applets can be distributed
simply by sending them in Email messages.

To solve the problem, I think that Email readers
that support HTML Email messages should have=20
an option to turn off Java applets, JavaScript,
and ActiveX controls in Email messages.=A0 As
far as I can tell Eudora 4 has no such feature.

Richard