Covert Channels allow Cross-Site-Java in Microsoft VM
Hi y'all, I have not found the contact address for microsoft jvm security issues, therefore maybe someone who reads bugtraq can forward this: in the Microsoft ® VM for Java, 5.0 Release 5.0.0.3810 the implementation of some core system classes allows to create covert channels between applets that are loaded from different websites (aka cross-site java). As these applet they share a common class loader for the system classes all public static (non-final) fields can be used to create a covert channel in accordance to the sandbox restriction and exchange cross-site information. This may be used for security zone violation and general data leakage.
PUT/Key/Value to create an entry in the shared hashtable of the applets GET/Key to read an entry in the shared hashtable of the applets
'Key' and 'Value' are string values.
So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform Action" and then switch to applet B which has an identical look and enter 'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay', which is an information that should only be known to applet A.
I think this is a major violation of sandbox constraints.
Sincerely Marc
P.S: Read some more java stuff at www.illegalaccess.org
