Why JavaSoft already released another JDK 1.1 beta

Just as Fall Internet World was gearing up, programmers at JavaSoft were finalizing the beta 2 release of the Java Developer Kit version 1.1. The initial beta release of the 1.1 version took place on December 3. Ten days later, Sun was ready with a second release to provide additional source code and to resolve a number of bugs in security and other significant areas.

JavaSoft has made the following changes in the JDK 1.1 beta release:

• The source code for the public classes in the java.* package now is included in the file src.zip. These classes correspond to the public classes contained in classes.zip.

• A fix exterminates a bug in the Jar tool manifest-build that limits the number of files in some configurations of Solaris to 64 entries.

• A fix in the javakey security tool prevents signed Jar files from having invalid signatures. An implementation inconsistency in javakey had caused signature checking to fail. Though not a security hole per se, this bug caused applets to run as untrusted, with minimal permissions enabled.

• A change allows unlimited numerical values of case statements now to be used in switch statements. (For example, a switch statement containing the two cases 0 and 99999999 had caused the compiler to run out of memory.)

• In the initial release for Win32, the class java.io.LineNumberReader had been documented, but the class file was absent from classes.zip. The java.io.LineNumberReader has now been added to classes.zip.

• A fix prevents DecimalNumberFormat methods from throwing exceptions. The class java.text.DecimalNumberFormat had thrown an exception when any of its format or parse methods were called.

As could be expected, the security-bug fix drew most of the attention among the Javarati at Internet World — as do all admissions of security flaws in Java from Sun’s cop of engineers.

“Actually this isn’t in any way a security breach, only an unfortunate bug that basically made it impossible to take advantage of the newer security feature of signed applets,” said an assuring Lew Tucker, director of corporate and ISV relations at JavaSoft. “In the first JDK 1.1 beta release, the older model of treating all applets as untrusted was enforced. Now people can try out our new digital signature features.”

Home security

“The [javakey] bug was discovered the first time we tried to use digital signing ourselves,” said Marianne Mueller, a senior security engineer at Sun. “We publish our software on the Web, and once we put it out there, many of us inside the company download a copy and do some testing. So one of the JavaSoft engineers who downloaded the JDK 1.1 beta 1 release immediately noticed the bug. It wasn’t a real security bug in that it didn’t expose any security holes. It was just that the signature checking always failed. So signed classes that should have been allowed more functionality were instead still restricted to the sandbox.”

The fix was a straightforward programming fix of a straightforward programming bug, according to Mueller. “It wasn’t a tricky system security hole or anything like that,” she added. “Developers now will be able to create signed applets and to configure their systems to allow those applets greater freedom. We distribute a tool called appletviewer that developers can use to help them create and test their signed applets. Down the road, we expect that Java-enabled browsers will support Java digital signatures, but I don’t know the dates for when that will be available to end users. We’re working very closely with our Java licensees to help make that happen.”

“There is no such thing as 100 percent security,” said Gary McGraw, the coauthor of Java Security: Hostile Applets, Holes, and Antidotes (Wiley, 1996). “Any time you have a system as complex as the JDK and Java VM, there will almost certainly be bugs. Every bug introduces potential security holes. Based on the history of bug discovery in earlier versions of the JDK, it is unlikely that the most recent bug in the javakey implementation is the only one. My advice is to keep your eye out for security alerts and make sure you are using the most up-to-date browser/VM combination available.”

The upgrade path

According to Mueller, current plans for follow-on releases for the JDK 1.1 are: to have a Java crypto extension package (for domestic release only) available in early 1997; and by the middle of the year to offer support for flexible, configurable security policies, so that users can fine-tune the access they give to signed downloaded applets.