I discovered this bug accidentally while developing new version of
Anfy, and I have not
disclosed the information required to re-create the bug. However, hackers have
re-created it themselves, and I disagree with their malicious use of it.
that is required is a single 1 Kb ".class" file. It's a
Java applet which uses Microsoft's "extentions" to the official Java
specifications. The applet will not only crash Internet Explorer 4.0, 4.1 and IE
5 beta, it will crash the whole Windows 95/98 operating system; all running
applications stop and unsaved work is lost. On Windows NT, Internet Explorer
crashes, but the operating system in most cases is still usable.
Some hackers have already spread malicious version of this applet, so you may be
at risk, unless you install the patch
from Microsoft. Applets sent as email attachments may also crash your system.
Users affected by this problem will not have an opportunity to prevent a total
crash of their system and unsaved work will be lost. This is why this more than
a bug, it is a security hole.
This is not a virus: This is
because it can't replicate itself automatically, but has to be spread
individually by malicious people, like a Trojan Horse. It can reside on
an internet site you visit or it can be sent to you attacched to an e-mail, but
it has to be spread intentionally (hackers can also insert the crash applet in a
site without the knowledge and permission of the site owner).
NON UPDATED INTERNET EXPLORER 4 RUNNING ON WINDOWS 95/98/NT IS AT RISK: The
applet will not run in a 100% pure Java environment, such as Netscape Navigator
or using the Java Plugin. Java is a secure and reliable
technology, if correctly implemented. The bug is only present in
Microsoft's extensions to Java on
Windows systems. The applet does not crash Explorer 3 or earlier, and does not
affect Windows 3.1 or Apple Macintosh versions.
bug causes crashes", CNET News.com:
"This is a
denial-of-service problem in that it prevents you from using the system,"
said Microsoft product manager for platform marketing Joe Herman. "[Ciucci's]
applet is hanging the system, and it's a bug that we need to correct.".
free to terminate Microsoft's Java contract", PC Week Online:
a ruling due anytime now in the Java case between Microsoft Corp. and Sun
Microsystems, a key date has come and gone -- the first anniversary of the suit
-- and that means Sun now has the right to terminate Microsoft's Java license."
Issues Internet Explorer Hostile Code Alert", NEWSBYTES Top Story:
advises customers take precautions against a serious security hole recently
discovered in Microsoft's implementation of Java in Internet Explorer. [...]
These applets can be included in any Web page, or sent via e-mail attachments.
[...] by maliciously programming the Microsoft Java extensions, hackers can
access various Windows capabilities normally inaccessible in "100% pure"
Java environments. [...] hackers can reach various desktop resources and stop
service completely. Computer users lose all unsaved work and are forced to
reboot. In its variants, the Ciucci Java applet exploitation can also wait
silently several minutes after the applet loads, and only later crash the
browser, making it difficult to trace the origin of the applet".
Patches, Solutions and Protections
a month, Microsoft released a patch.
Microsoft released a Java update on Dec. 7, 1998, after the
preliminary sentence in the case against Sun.
than making a working version the bugged extra function, Microsoft silently removed
totally the whole support of directX and directDraw from Java (at least from
standard security settings for Applets), in fact the
directDraw samples from their old Java SDK does not work anymore. It is
interesting to notice, Microsoft has not informed the users about the bug, and
silently patched it, probably hoping anyone will never know it existed?
a couple of locations where you can download the updates:
antivirus companies are adding support for blocking execution of the malicious
announced it's SurfinGate 4.02, an HTTP proxy able to prevent the applet from
Be sure to come back to www.anfyteam.com/iebug/
to read latest news and download patches / antiviruses.
can test here if your Internet Explorer is affected by the security hole.
Go to the Crash Test Page at
your own risk. The risk is only for Internet Explorer users without the latest
patch. With Netscape or non-Windows operating systems there are no risks.
Hackers activity monitor
report any site which contains malicious "Ciucci bug" applets.
is the list of know sites. Note: I have nothing to do with those people!
published those sites only after the release of Microsoft JVM patch, being
concerned about spreading of these files before the existence of a defense.
Anyway, the purpose of those links is to warn net surfers and antivirus
companies about the various versions of the hostile applets, NOT TO DISTRIBUTE THE FILES FOR MALICIOUS USES.
If you have news about this subject, including the announcements of new
antiviruses and patches for, or modified versions of the malicious applet,
contact me throught the contact page on the
www.anfyteam.com main site.
you have a web site, I suggest you download the free
Anfy 1.4, my
award winning tool, which gives easy design capabilities to add special effects
to html pages.