Sun Java Plugin Arbitrary Package Access Vulnerability

This security hole is caused by a flaw in the LiveConnect implementation of Sun's Java Virtual Machine (specifically in the JavaScript-to-Java side of LiveConnect). Sun just released a new version (1.4.2_06) that fixes the problem. But 1.4.2_05 and potentially all earlier versions are still vulnerable.

Apple has licensed Sun's Java Virtual Machine, and distributes copies of Java 1.3.1 and Java 1.4.X with Mac OS X (Java 1.4.1 with OS X 10.2.8 and Java 1.4.2 with OS X 10.3.X). Apple's most recent Java version (Java 1.4.2 Update 2, available for OS X 10.3.4 and above) is based on Sun's Java 1.4.2_05.

So all of Apple's Java versions are vulnerable in principle. And they actually are vulnerable when used in combination with older versions (pre-0.8.8) of the MRJ Plugin JEP (whether the latter is used with JavaEmbeddingPlugin.bundle to provide Java 1.4.X support or by itself to provide Java 1.3.1 support). But, as it happens, neither Apple's browser (Safari) nor its browser plugin (Java Applet.plugin, which provides Java 1.3.1 support to other browsers than Safari) are vulnerable.

You might think that it's Apple's responsibility to fix its Java distributions, all of which have this security hole. But since none of Apple's Java "consumers" are vulnerable, they may choose not to do anything. In any case, they haven't done anything yet. (Apple may have partially addressed this issue with its 2005-02 security update for OS X 10.3.X. But JEP 0.8.7 and earlier are still vulnerable even with this security update applied.)

When I found a way to fix the problem indirectly (in the MRJ Plugin JEP) for both Java 1.3.1 and 1.4.X, I decided to include it in the Java Embedding Plugin and make a special "security fix" release -- which became JEP 0.8.8. (The fix is also included in later versions.)

Scanit has made available an online scanner for browser vulnerabilities that is capable of detecting the "Arbitrary Package Access" vulnerability:

Scanit's test shows that earlier versions (prior to 0.8.8) of the MRJ Plugin JEP are vulnerable (and that versions 0.8.8 and later are no longer vulnerable). It also shows that no browser is vulnerable when used together with the Java Applet.plugin. Its results for Safari versions prior to the 2005-02 security update are ambiguous ... the test crashes Safari :-) But my own (very simple) test (which combines a hello-world applet with Jouko Pynnonen's proof-of-concept JavaScript code from his advisory) has convinced me that it isn't vulnerable.

The Java Applet.plugin is saved by the fact that it doesn't support LiveConnect. Neither did early versions of Safari. More recent versions of Safari (available for OS X 10.3.X) do support LiveConnect, but apparently still aren't vulnerable. After the 2005-02 security update is installed, Safari neither crashes nor is vulnerable.