Showing posts with label JDK13Services. Show all posts
Showing posts with label JDK13Services. Show all posts

Wednesday, August 05, 2009

JDK13Services - Thanks!

Sami Koivu acknowledges with thanks Sun Microsystems' thankful acknowledgement.

On a more serious note: Good job, Sun. I liked the fix, it's straightforward, simple and looks foolproof.
Posted by at No comments:
Labels: ,

Tuesday, August 04, 2009

No Anniversary for JDK13Services

Java 6 update 15 fixes the simplest Java security bug I've found so far. And just before its anniversary (August 18th), so no cake.

It's also the least serious of the bugs so I'm not terribly upset that it took close to a year to fix.

com.sun.media.sound.JDK13Services has a public, static method called getDefaultProviderClass which takes a Class object as a parameter and it returns the system property which corresponds with the full class name. The problem is (was) that you can create your own classes whose names coincide with security sensitive property names, such as user.home, user.name, etc.

The implication is one of privacy.

An example of reading the user.home property and outputting it to System.out in an applet.

001 package user;
002 
003 public class PropertyThief extends java.applet.Applet {
004 
005     public void start() {
006         String usrHome = com.sun.media.sound.JDK13Services.getDefaultProviderClassName(user.home.class);
007         System.out.println(usrHome);
008     }
009 }
010 
011 class home {}

This'll only work in a pre-update-15 Java. From the quick look into the new rt.jar bytecode, it looks like they're doing a bunch of if's now to limit the properties you can request.
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)