In most Java implementations, security policy forbids applets from reading the local directory structure. I have discovered that it is possible for an applet, using only Java, to determine if specified files exist on the file system of the client machine. The applet I have prototyped cannot read or write to the file, but it can detect its presence. My applet is then free to surreptitiously Email the result of the file search to any machine on the Internet, for example MarketResearch@microsoft.com.
As in previous security holes, the flaw is in the Java implementation, not the Java model. I believe correcting this bug will be easy for the various vendors. They must make the behavior of the virtual machine the same when the file exists, vs. when the file does not exist.
For the time being, I will not release a more detailed description of the attack or the code in source or object form until I have given Microsoft, Sun, Netscape and all other vendors a chance to respond.
I've now got an example applet on-line. If you don't want my applet to poke around for a few files on your system, turn Java off before viewing it. I didn't integrate the applet with my Hostile email applet ( yet ), let's just see how it goes as a stand-alone hostile applet. I also haven't made the applet smart enough to only look for Unix-type files on Unix systems, Windows type files on a windows system etc. It would be easy to do, but who has the time ? The applet will not always be sucessful as it uses a bit of a "fuzzy" search techinque. It will not always work well on re-load either. It's just a proof of concept.
I have tested my applet under various versions of Netscape on Solaris, Linux, Windows 95,
and Windows NT. Tests on the current version of Internet Explorer are
inconclusive. Either bugs in Internet Explorer prevent the attack from working,
or Internet Explorer is not susceptible.