Netscape Communicator and Navigator ship with Java classes that allow an unsigned Java applet to access local and remote resources in violation of the security policies for applets.
Failures in the netscape.net package permit a Java applet to read files from the local file system by opening a connection to a URL using the "file" protocol. For example, by opening a connection to "file:///C:/somefile.txt" an intruder can read the contents of that file.
Additionally, it is possible to use this technique to open connections to resources using other types of protocols; that is, it is possible to open a connection to "http," "https," "ftp," and other types of URLs using this vulnerability.
http://www.brumleve.com/BrownOrifice (Note that this site contains a demonstration of the vulnerability, which could expose your files to intruders.)
As of the writing of this document, we have not received any reports indicating exploitation of this vulnerability outside of the context of obtaining it from the Brown Orifice web site. Note that running Brown Orifice allows anyone, not just the administrators of the Brown Orifice web site, to read files on your system. The Brown Orifice web site publishes the IP address of systems running Brown Orifice, and we have received reports of third parties attempting to read files from a system identified on the Brown Orifice web site. Furthermore, if you have extended any file-reading privileges to anyone who has run Brown Orifice, your files can be read by anyone on the Internet (subject to controls imposed by your router and firewall.)
Intruders who can entice you into running a malicious Java applet can read any file that you can read on your local or network file system. Additionally, the contents of URLs located behind a firewall can be exposed.
Organizations should weigh the risks presented by this vulnerability against their need to run Java applets. At the present time, an effective solution is to disable Java in Netscape. Historically, vulnerabilities of this type have not been widely exploited; however, this is not an indication that they can't be or that targeted attacks are not effective and possible.
To use this plugin effectively requires the use of a tool to convert HTML pages to use a different tag. Information about Sun's HTML Converter Software is also available on this page. This tool will rewrite HTML pages so that applets referenced in the page will run in the JRE provided by the plugin.
To achieve protection from the resource reading vulnerability using this tool requires you to disable Java in the Netscape browser. The HTML Converter software will modify HTML pages to use an <EMBED> tag instead of an <APPLET>. The JRE plugin software recognizes the <EMBED> tag, and applets will then run within the new JRE plugin, instead of the default JRE provided by Netscape.
The CERT Coordination Center thanks Elias Levy, CTO of SecurityFocus.com, Sun Microsystems, and AOL/Netscape for their input and assistance in the construction of this document.
This document was written by Shawn V Hernan.