Date: 11 August 2000
References: ESB-2000.197 ESB-2000.221 ESB-2000.233 ESB-2003.0013
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-2000.206 -- CERT Advisory CA-2000-15
Netscape Allows Java Applets to Read Protected Resources
11 August 2000
AusCERT Security Bulletin Summary
Product: Netscape Navigator
Operating System: N/A
Impact: Access Privileged Data
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2000-15 Netscape Allows Java Applets to Read Protected
Original release date: August 10, 2000
A complete revision history is at the end of this file.
* Systems running Netscape Communicator version 4.04 through 4.74
with Java enabled. Netscape 6 is unaffected by this problem.
Netscape Communicator and Navigator ship with Java classes that allow
an unsigned Java applet to access local and remote resources in
violation of the security policies for applets.
Failures in the netscape.net package permit a Java applet to read
files from the local file system by opening a connection to a URL
using the "file" protocol. For example, by opening a connection to
"file:///C:/somefile.txt" an intruder can read the contents of that
Additionally, it is possible to use this technique to open connections
to resources using other types of protocols; that is, it is possible
to open a connection to "http," "https," "ftp," and other types of
URLs using this vulnerability.
By then using ordinary techniques, a malicious Java applet that
exploits this vulnerability could subsequently send the contents of
the file (or other resource) to the web server from which the applet
An exploit using this technique causes the victim to establish a
connection to the malicious web server (as opposed to the intruder
establishing a connection to the victim). Thus typical firewall
configurations fail to stop an attack of this type.
A tool written by Dan Brumleve dubbed "Brown Orifice" demonstrates
this vulnerability. Brown Orifice implements an HTTP server (web
server) as a Java applet and listens for connections to the victim's
machine. In conjunction with the Netscape vulnerability, Brown Orifice
essentially turns a web browser into a web server and allows any
machine on the Internet to browse the victim's local file system.
Typical firewall configurations stop this type of attack, but as noted
above, they do not stop simple variations of this attack.
This vulnerability is the result of an implementation error in the JRE
that comes with the Netscape brower, not an architectural problem in
the Java security model.
This problem has been widely discussed in various forums on the
Internet. More information is available at
http://www.brumleve.com/BrownOrifice (Note that this site
contains a demonstration of the vulnerability which could
expose your files to intruders.)
As of the writing of this document, we have not received any reports
indicating exploitation of this vulnerability outside of the context
of obtaining it from the Brown Orifice web site. Note that running
Brown Orifice allows anyone, not just the administrators of the Brown
Orifice web site, to read files on your system. The Brown Orifice web
site publishes the IP address of systems running Brown Orifice, and we
have received reports of third parties attempting to read files from a
system identified on the Brown Orifice web site. Furthermore, if you
have extended any file-reading privileges to anyone who has run Brown
Orifice, your files can be read by anyone on the Internet (subject to
controls imposed by your router and firewall.)
Intruders who can entice you into running a malicious Java applet can
read any file that you can read on your local or network file system.
Additionally, the contents of URLs located behind a firewall can be
Organizations should weigh the risks presented by this vulnerability
against their need to run Java applets. At the present time, an
effective solution is to disable Java in Netscape. Historically,
vulnerabilities of this type have not been widely exploited; however
this is not an indication that they can't be, or that targeted attacks
are not effective and possible.
For organizations that have a need to run Java applets under their own
control (that is, in situations where the HTML page referencing the
applet is under their control), an alternate solution is to install a
Java Runtime Environment Plugin available from Sun Microsystems. More
information and pointers to downloadable software is available at
To use this plugin effectively requires the use of a tool to convert
HTML pages to use a different tag. Information about Sun's HTML
Converter Software is also available on this page. This tool will
rewrite HTML pages so that applets referenced in the page will run in
the JRE provided by the plugin.
To achieve protection from the resource reading vulnerability using
this tool requires you to disable Java in the Netscape browser. The
HTML Converter software will modify HTML pages to use an <EMBED> tag
instead of an <APPLET>. The JRE plugin software recognizes the <EMBED>
tag, and applets will then run within the new JRE plugin, instead of
the default JRE provided by Netscape.
Appendix A contains information provided by vendors for this advisory.
We will update the appendix as we receive more information. If you do
not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact your vendor directly.
Appendix A. Vendor Information
AOL Corporate Communications
Netscape takes all security issues very seriously, and we are working
to quickly evaluate and address this concern. If the reports are
accurate, we plan to make a patch available, but in the interim, users
can protect themselves by simply turning off Java.
Users can also visit http://www.netscape.com/security to get the
mostup to date information on a patch, and its availability.
Sun Microsystems and Netscape
Sun is working with Netscape to deliver a new version of Navigator and
Communicator that will fix this problem.
Brown Orifice does not exploit any vulnerabilities in Microsoft
The CERT Coordination Center thanks Elias Levy, CTO of
SecurityFocus.com, and Sun Microsystems and AOL/Netscape for their
input and assistance in the construction of this advisory.
Author: Shawn Hernan
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site
To be added to our mailing list for advisories and bulletins, send
email to firstname.lastname@example.org and include SUBSCRIBE
your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University
August 10, 2000: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----