Bugtraq mailing list archives
Mac OS X v10.0.x J2SE v1.3 clipboard tapping vulnerability
From: "TAKAGI, Hiromitsu" <takagi.hiromitsu () aist go jp>
Date: Wed, 17 Oct 2001 10:45:18 +0900
Java runtime (J2SE) for Mac OS X v10.0.x has a security hole. It seems to have been fixed in Mac OS X v10.1. http://www.apple.com/support/security/security_updates.html
Security updates are listed below according to the software release in which they first appeared: Mac OS X v10.1 o system clipboard / J2SE - Fixes a security issue that permitted unauthorized applets access to the system clipboard.
However, the patch for Mac OS X 10.0 has not been released. Workaround: Buy Mac OS X v10.1 or do not use Java applets on Mac OS X v10.0 A brief history of this issue: On 9 Feb 2001 Cameron McNeil wrote:
To: java-dev () lists apple com I've recently been playing around with applets and MRJ2.2.4 and I've noticed that unsigned applets have access to the system clipboard. I remember reading somewhere that the system clipboard was considered outside of the sandbox, I know that in windows if you attempt to access the clipboard it will throw a security exception. Is this a bug in the MRJ security model or was the ability to access the clipboard left in intentionally?
On 9 Feb 2001 Eric Albert <ealbert () apple com> wrote:
To: java-dev () lists apple com That may well be a bug...I ran into that a month or two ago and was wondering why MRJ allowed it. Please file a bug report.
On 5 Jun 2001 TAKAGI, Hiromitsu <takagi () etl go jp> wrote:
To: java-dev () lists apple com On 1 Jun 2001 Mickey Segal wrote:Are there release notes telling us what is fixed in MRJ 2.2.5? The description at http://www.apple.com/java/ reflects only MRJ 2.2.4.This release seems to contain a security fix. The clipboard tapping vulnerability which was discovered here on Feb 9(*) has been fixed. However, Apple hasn't notified customers of this fix yet in the release note nor the security bulletin. http://asu.info.apple.com/swupdates.nsf/artnum/n11927 http://www.apple.com/support/security/security_updates.html
On 6 Jun 2001 TAKAGI, Hiromitsu <takagi () etl go jp> wrote:
To: java-dev () lists apple com Cc: product-security () apple com, java-security () sun comThis release seems to contain a security fix. The clipboard tapping vulnerability which was discovered here on Feb 9(*) has been fixed.I prepared a test applet for this vulnerability. http://java-house.etl.go.jp/~takagi/java/security/mrj-clipboard/Test.html ...and found that J2SE v1.3 for Mac OS X is also vulnerable. Why hasn't it been fixed?
-- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://staff.aist.go.jp/takagi.hiromitsu/
Current thread:
- Mac OS X v10.0.x J2SE v1.3 clipboard tapping vulnerability TAKAGI, Hiromitsu (Oct 17)
- <Possible follow-ups>
- RE: Mac OS X v10.0.x J2SE v1.3 clipboard tapping vulnerability Thor Larholm (Oct 18)