The flaw, discovered and brought to Netscape's attention by the Secure Internet Programming group at Princeton University, lets a malicious Java applet disable the browser's security controls, leaving the user's computer defenseless against attacks over the Internet.
"The potential consequences are as severe as they could be," said SIP director Edward Felten. "Once you penetrate the security of the browser, then there isn't more protection. Someone can write an applet that can seize control of the victim's machine and delete or modify files, spread viruses, or whatever."
While emphasizing that the company takes all security breaches seriously, Netscape executives downplayed the threat posed by this particular hole.
"This particular attack is quite difficult to exploit because it requires a number of hoops to jump through," said Eric Byunn, Netscape's group product manager for Communicator, the company's Web software suite that includes the Navigator browser.
The flaw, which affects only versions 4.0x of Netscape's Navigator browser, lies in the implementation of what are called "class loaders" in the Java programming language. These units load and put together classes, or units of Java code, within the Java virtual machine (JVM), the software that lets applications written in Java run on multiple platforms.
Under the Java security model, units of code called "objects" are classified by type and permitted only certain operations according to those classifications. The hole allows a maliciously designed class loader to confuse the JVM about the type of object it is processing. Felten and his group designed a class loader that let them gain privileges they should not have had, access memory they should not have been able to, and in turn disable the rest of the security mechanism.
While the flaw discovered in this case is specific to the Navigator 4.0x browsers, Felten and his group lay much of the blame with the Java security architecture.
"Despite changes in the ClassLoader implementation in JDK 1.1 and again in JDK 1.2 beta, ClassLoaders are still not safe," reads a note on the bug report posted to the SIP Web site. "A malicious ClassLoader can still override the definition of built-in 'system' types like java.lang.Class. Under some circumstances, this can lead to a subversion of Java's type system and thus a security breach."
A Java program can have many different kinds of class loaders, each defining the boundaries of the environment in which an applet can run. The trouble with class loaders is that their jurisdictions can overlap. It is these overlapping environments, or "name spaces," that Felten and his team exploited to confuse the JVM.
In addition to coinciding with the beta release of Communicator 4.5, the SIP discovery and notification to Netscape comes as the House of Representatives marks up the Digital Millennium Copyright Act. Some versions of the controversial act would criminalize the kind of activity that the SIP engaged in to discover the Navigator security hole, in an attempt to penalize those who tamper with security technologies.
"We're quite concerned about the anticircumvention language in that bill," said Felten. "Some versions of that bill would make it illegal for us to examine software for security flaws, and many forms of reverse-engineering would be illegal. There needs to be some kind of exception for people who do security research. Otherwise these holes might be found, but not by the kind of people we want to have finding them."
Princeton's SIP notified Netscape last week about the hole, and the company said it had patched the hole in time for the beta release of Communicator 4.5. For those using Communicator Versions 4.01 to 4.05, Netscape in the next few weeks will post another revision of the 4.0x browser with the hole patched.