Security hole in Java Web Start

[Preston]

Does anybody know an URL to an english article on this topic?

German readers could use this one: http://www.heise.de/newsticker/data/pab-02.12.03-001/
The last sentence reads: "SUN's current recommended workaround to the security issue is not to use Java Web Start 1.4.2_02."

With all that talk on Java Web Start here in the forum I thought let's post this...

[kevglass]

Here's something?

http://www.itworld.com/nl/java_sec/08092002/

This seems to be all I can get Google to throw up, seems like a hole in IE more than Web Start.

Kev

[endolf]

Hi
 I agree that it sounds like IE is the biggest issue, but maybe ws could help to some exctent by verifying the signature of files *every* run.

Endolf

Games published by our own members! Check 'em out!

[Preston]

Here's something?

http://www.itworld.com/nl/java_sec/08092002/

From 08/09/2002 ?
That's another version probably... :-)

Mine article is from today. Maybe you could use Google's pretty funny translation: http://translate.google.com/translate?u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fdata%2Fpab-02.12.03-001%2F&langpair=de%7Cen&hl=de&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools

[kevglass]

Ah ha, from I can make out from the cool translation the problem is this:

1) An app requests limited security permissions to the users machine.
2) The user agrees to the limited permissions (which are safe)
3) The author then changes the permission requested.
4) Next the user does an update, JWS gets the new permissions and assumes cause the user accepted it the first time they'll accept anything.
5) The Java App now has full security permissions without the user's approval.

If that is the case, that is scary. Although for everything I've seen recently asks for full permissions at the start

Kev

[endolf]

Eep
 in that case, yes, it's a ws bug

but I too ask for full permissions

Endolf

[swpalmer]

I suspected as much.  In fact even granting full permissions the first time, it is not "friendly" of the system to assume the users wishes to grant full permissions to version 2.  Perhaps I've heard that Version 2 has a bug that could destroy my data...  Must I now unplug my network cable whenever I want to launch this Web Start app so I don't get the new version?  If it is marked as requiring a net connection  I can't even do that!

Web Start needs some settings to allow the user to confirm that they wish to get the available updates in the first place.  Sometimes you don' t want to be on the bleeding edge.

[Jeff]

I suspected as much.  In fact even granting full permissions the first time, it is not "friendly" of the system to assume the users wishes to grant full permissions to version 2.

I'd disagree here,actually.

The question posed is not "do you trust this application" but "do you trust this application provider."  Thats why each provider has a unique certificate, not each app.

JK

[Preston]

In fact even granting full permissions the first time, it is not "friendly" of the system to assume the users wishes to grant full permissions to version 2.  Perhaps I've heard that Version 2 has a bug that could destroy my data...  Must I now unplug my network cable whenever I want to launch this Web Start app so I don't get the new version?

In the Webstart there's a menu entry "application" with a sub entry named "delete app". This removes a previously loaded app for me. Next time I load that app from a .jnlp file again, it asks for the permission details.

[swpalmer]

I'd disagree here,actually.

The question posed is not "do you trust this application" but "do you trust this application provider."  Thats why each provider has a unique certificate, not each app.

JK

Yes, I see your point, and it makes sense to use the provider level of granularity from a security standpoint..  I guess it still stands that this bug of allowing more priviledges than you initially agreed is not right though.

I also think the idea of not accepting upgrades is entirely different  from that of security.  I don't trust a single one of you to give me code that has no bugs - but I routinely accept the self signed Web Start apps that are posted.  I trust you guys enough that I believe you will not be malicious.. but if I have a program that is working just fine for me, I don't necessarily want to jump straight to the next version.   I like that Web Start gives me that ability to stay up to date - I don't like that it forces the latest version on me, with no option of going back.

I believe that is a design flaw in the current Web Start client. The JNLP in general appears to be fine.  If the client kept the last version in the cache so I could step back it would be great.  Hmm.  I smell a RFE brewing...

Games published by our own members! Check 'em out!

[swpalmer]

In the Webstart there's a menu entry "application" with a sub entry named "delete app". This removes a previously loaded app for me. Next time I load that app from a .jnlp file again, it asks for the permission details.

Yes... that covers security issues.. but that means losing Version 1 so it doesn't cover the forced early adopters issue.  (i.e. you will use the latest, even if it is broken on your system.)

[Jeff]

Yes, I see your point, and it makes sense to use the provider level of granularity from a security standpoint..  I guess it still stands that this bug of allowing more priviledges than you initially agreed is not right though.

That I'd agree with assuming the report is accurate

I also think the idea of not accepting upgrades is entirely different  from that of security.  I don't trust a single one of you to give me code that has no bugs - but I routinely accept the self signed Web Start apps that are posted.  I trust you guys enough that I believe you will not be malicious.. but if I have a program that is working just fine for me, I don't necessarily want to jump straight to the next version.   I like that Web Start gives me that ability to stay up to date - I don't like that it forces the latest version on me, with no option of going back.

Thats an interesting and legitimate comment.  i hadn't really thought about it before.  In the enterprise, the JWS way makes sense because IT wants uniformity, but its quite possible that a better client for supplying individual uses could be written.

Thats actually one of webstart's virtues, that its really a protocol definition (jnlp et al).  JWS is just one example of a client. Others could be written.

[kevglass]

Yeah.. check out OpenJNLP. Its bulky and interface is horrible.. but other than that its a new implementation

Kev

[Preston]

http://developer.java.sun.com/developer/bugParade/bugs/4961543.html

Bug closed. It's not a bug. It's a feature. :-)

Has the bug report been a bug itself?

[Jeff]

Yup. Looks like this person was confused as well about granting permissions, thinking it was per app rather then what it really is-- per certificate.