In a November
29, 2005, article, Computerworld Journalist
Matthew Broersma reported the patching by
Sun of three critical security flaws in its
Java Runtime Environment (JRE) affecting
Windows, Unix and Linux users. According
to Sun, these security flaws "could allow
remote hackers to execute applications on
a system".
As part of our ongoing support assistance
to our customers, we felt that it was a good
idea to run through the issues detailed in
Broersma's article, to show how ViewONE and
ViewONE Pro are unaffected by Sun's recent
problem.
In each case, the three issues directly
quote Broersma's article on Computerworld.
Issue 1:
"Sun outlined three separate vulnerabilities,
each of which could independently allow
a specially crafted Java applet, for example
embedded in a Web page, to escalate its
privileges. That could allow the applet
to read and write local files and execute
applications accessible to the user running
the applet, with the user's privileges.
Ordinarily,
Java applets are restricted from reading
and writing files and executing applications
by the Java "sandbox."
The JRE
is the code used to execute Java applets
on a local system and is one of the most
widely distributed client-side software
products. Versions of the JRE are also found
in mobile phones...The first,
unspecified vulnerability affects SDK and JRE 5.0
update 3 and earlier for Windows, Solaris and Linux,
Sun said in an advisory. "
Impact on ViewONE/ViewONE
Pro?
This Java flaw relates to 'unsigned'
applets, that is, applets that carry
no security certifications and should not
be allowed to write and access files. Certification
is a process by which applet providers are
vetted by a security authority (in Daeja's
case Thawte, a Verisign company) before being
issued with a certificate.
ViewONE
is a signed applet, and the user is prompted
as to whether they will permit the applet
to write and access files. The viewer does
nothing with this privilege other
than to implement efficient caching (and
therefore memory management), allow documents
to be printed and allow image files to be
retrieved from the server.
Daeja virus checks
all its software and does not produce
malicious software, nor ever will. Our certification
means that we are fully accountable for
our product and its actions. Click on the
link that follows for more details on the Daeja
Digital Certificate.
Issue 2:
"The second advisory concerns three unspecified bugs in the use of
the "reflection" API in the JRE. The first
of the three "reflection" bugs can occur
in SDK and JRE 1.3.1_15 and earlier, SDK
and JRE 1.4.2_08 and earlier or JDK and
JRE 5.0 Update 3 and earlier. The second
and third of the flaws can occur in SDK
and JRE 1.4.2_08 and earlier or JDK and
JRE 5.0 Update 3 and earlier.
These bugs affect
Windows, Unix and Linux versions of the
JRE."
Impact on ViewONE/ViewONE
Pro?
Reflection
is the mechanism by which other applets
can discover public method names and paramaters
within existing applets which are supposed
to be hidden. Daeja does not have any methods
in the applet class (jiApplet) that should
not be exposed, and those that are exposed
are documented in the JavaScript manual
(public Java applet methods are those that
JavaScript calls).
In addition, many viewer
methods can be blocked (and are blocked
by default) by use of HTML parameters for
those applications that do want JavaScript
to have access (such as methods that can
add annotations), and Daeja uses HTML parameters
in such a way. Daeja also obfuscates its
code so that all other methods are unintelligible
to the keenest of hackers which helps to
further protect users (and Daeja).
Issue 3:
"The third advisory
warns of a bug in the Java Management
Extensions (JMX) implementation included
with the JRE. It affects SDK and JRE
5.0 Update 3 and earlier on Windows,
Unix and Linux. Patches and instructions
for patching are found in Sun's advisories."
Impact on ViewONE/ViewONE
Pro?
Java Management Extensions or JMX
is a Java technology that supplies tools
for managing and monitoring applications,
system objects, devices (e.g. printers) and
service oriented networks. ViewONE provides
tools for monitoring network and viewer activity,
all of which can be disabled and are 'off'
by default. Cached files are obfuscated (when
using the Obfuscate=true parameter; which
we recommend), all other viewer activity,
such as instantiating classes and creating
threads are made very difficult to monitor
and interpret due to the obfuscation of the
viewer JAR files (which Daeja does before
releasing viewer builds).
If concern remains, for example, over the
inbuilt ability of the JRE to monitor high
level network activity or the ability to
view HTML source (a browser feature) Daeja
already has inbuilt mechanisms to allow encryption
of such data (through the ViewONE Pro Security Module).
General Daeja comments:
In general terms, it
is difficult to see how any of these flaws
in Java can cause any problems for viewer
users or expose them to risks. It is of
paramount importance to Daeja that this remains
the case, hence the precautions that we
take which are mentioned above.
If you have any questions relating to anything
here, please feel free to email our eSupport
team who will be happy to respond to your
enquiries, on support@daeja.com. |
![Daeja [ home ]](../images/logo1.gif){kind=logo}
