Secure Internet Programming
* History
* People
* Partners
* Research
* Publications
* Links
Java Security Flaws (August 1996)

The Array Name Bug

This bug affected Netscape Navigator version 3.0 beta 5 and earlier. It was caused by incorrect handling of type definitions in the Java internals. Java uses special predefined names for its array types; these special names are bound to the correct array types on demand. We discovered that under certain circumstances an applet could define a class that had one of these special names. The system detected this and threw an exception, but the malicious definition was mistakenly left in one of the system's internal tables. The result was that an applet could redefine one of Java's array types. This was sufficient to break Java's type system and hence to completely circumvent Java's security mechanisms.

The bug is fixed in Netscape Navigator version 3.0 beta 6 and later.

Princeton University
Department of Computer Science