-----BEGIN PGP SIGNED MESSAGE-----

Translations of CA-96.05.java_applet_security_mgr, (c) 1996,1997 by
Carnegie Mellon University, with special permission from the Software
Engineering Institute.

Accuracy and interpretation of this translation are the responsibility of
the Japan Computer Emergency Response Team/Coordination Center. The SEI has
not participated in this translation.

The CERT* Advisories and other CERT publications are available on the
Internet (http://www.cert.org/ or ftp://info.cert.org/pub/). Readers may
learn about the latest updates to these publications at these locations.

*Registered in the U.S. Patent and Trademark Office.


=============================================================================
CERT(*) Advisory CA-96.05
Original issue date: March 5, 1996
Last revised: September 24, 1997
              Updated copyright statement

              A complete revision history is at the end of this file.

Topic: Java Implementations Can Allow Connections to an Arbitrary Host
- -----------------------------------------------------------------------------

=============================================================================
CERT(*) $B4+9p(B CA-96.05
$B=iHG(B:           1996$BG/(B3$B7n(B5$BF|(B
$B:G=*2~D{(B:       1997$BG/(B9$B7n(B24$BF|(B
                $BCx:n8"I=<($NItJ,$r99?7$7$?!#(B

                $B40A4$J2~D{MzNr$O$3$N4+9p$N:G8e$KE:IU$5$l$F$$$k!#(B

$B<gBj(B: Java $B$N<BAu$,860x$GG$0U$N%[%9%H$,B>$X%3%M%/%7%g%s$N3NN)$r5v$9>uBV$K$J$k(B
- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of a vulnerability in
implementations of the Java Applet Security Manager. This vulnerability is
present in the Netscape Navigator 2.0 Java implementation and in Release
1.0 of the Java Developer's Kit from Sun Microsystems, Inc. These
implementations do not correctly implement the policy that an applet may
connect only to the host from which the applet was loaded.

CERT $B%3!<%G%#%M!<%7%g%s%;%s%?!<$O!"(BJava Applet Security Manager $B$N<BAu$K%;(B
$B%-%e%j%F%#>e$N<eE@$,$"$k$HJs9p$r<u$1$?!#$3$N<eE@$O!"(BNetscape Navigator 2.0
$B$N(B Java $B$N<BAu$H(B Sun Microsystems, Inc $B$,Ds6!$9$k(B Java Developer's Kit $B$N%j(B
$B%j!<%9(B 1.0 $B$KB8:_$9$k!#$3$l$i$N<BAu$G$O!"(Bapplet $B$r%m!<%I$7$F$-$?%[%9%H$X$N(B
$B$_%3%M%/%7%g%s$N3NN)$r5v$9%]%j%7!<$r<B8=$G$-$F$$$J$$!#(B

The CERT Coordination Center recommends installing patches from the vendors,
and using the workaround described in Section III until patches can be
installed.

CERT $B$O!"%Y%s%@$,G[I[$9$k%Q%C%A$r%$%s%9%H!<%k$9$k$3$H$r?d>)$9$k$H$H$b$K!"%Q%C(B
$B%A$,%$%s%9%H!<%k$G$-$k$^$G(B III $B>O$G<($9BP:v$r9V$8$k$3$H$r?d>)$9$k!#(B

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

$B?7$?$J>pJs$rF@$?>l9g$O!"$3$N4+9p$r99?7$9$k!#<+J,$N%5%$%H$K4XO"$7$?4+9p$N2~(B
$BD{$KHw$(!"Dj4|E*$K4+9p$r3NG'$7$FD:$-$?$$!#(B

Although our CA-96.05 CERT advisory does not discuss JavaScript, there have
been a series of recent postings to newsgroups concerning a vulnerability in
the way Netscape Navigator (Version 2.0) supports JavaScript.

CA-96.05 CERT $B4+9p$O!"(BJavaScript $B$K$D$$$F5DO@$9$k$N$G$O$J$$!#$7$+$7!"6a$4$m(B
$B%K%e!<%9%0%k!<%W$K(B Netscape Navigator $B%P!<%8%g%s(B 2.0 $B$N(B JavaScript $B$N<BAu$K(B
$B%;%-%e%j%F%#>e$N<eE@$,$"$k$H$$$&0lO"$NEj9F$,$"$C$?!#(B

As a clarification to our readers, this problem is different from the problem
described in advisory CA-96.05.

$BG0$N$?$a$KJdB-$9$k$,!"$3$NLdBj$H4+9p(B CA-96.05 $B$G=R$Y$kLdBj$O0[$J$k$b$N$G$"(B
$B$k!#(B

Netscape Version 2.01 is now available. This version addresses the Java Applet
Security Manager and the JavaScript problems recently discussed.  For
additional information about these issues and to obtain the new release,
please see:

$B8=:_!"(BNetscape $B$N%P!<%8%g%s(B 2.01 $B$,MxMQ2DG=$G$"$k!#$3$N%P!<%8%g%s$O(B Java
Applet Security Manager $B$H:G6aOCBj$K$J$C$?(B JavaScript $B$NLdBj$r2r7h$7$F$$$k!#(B
$B$3$l$i$NLdBj$K4X$9$k>\:Y$J>pJs$H?7$7$$%j%j!<%9>pJs$rF@$k$K$O!"0J2<$r;2>H$N(B
$B$3$H!#(B

         http://home.netscape.com/eng/mozilla/2.01/relnotes/


- -----------------------------------------------------------------------------

I.   Description

I.   $B2r@b(B

     There is a serious security problem with the Netscape Navigator 2.0 Java
     implementation. The vulnerability is also present in the Java Developer's
     Kit 1.0 from Sun Microsystems, Inc. The restriction allowing an applet to
     connect only to the host from which it was loaded is not properly
     enforced. This vulnerability, combined with the subversion of the DNS
     system, allows an applet to open a connection to an arbitrary host on the
     Internet.

     Netscape Navigator 2.0 $B$KIU?o$9$k(B Java $B$N<BAu$K$O!"?<9o$J%;%-%e%j%F%#(B
     $B%[!<%k$,B8:_$9$k!#(BSun Microsystems, Inc $B$,Ds6!$9$k(B Java Developer's
     Kit 1.0 $B$K$bF1$8%;%-%e%j%F%#%[!<%k$,B8:_$9$k!#(BApplet $B$,@\B32DG=$J%[%9(B
     $B%H$O!"$=$l$r%m!<%I$7$F$-$?%[%9%H$N$_$G$"$k$,!"$3$l$i$N<BAu$G$O$=$N$h$&(B
     $B$J@)8B$,$&$^$/F/$+$J$$!#$3$N%;%-%e%j%F%#>e$N<eE@$H(B DNS $B%7%9%F%`$N$$$/(B
     $B$D$+$N%P!<%8%g%s$,AH9g$o$;$FMQ$$$i$l$k$H!"(Bapplet $B$,%$%s%?!<%M%C%H>e$N(B
     $BG$0U$N%[%9%H$X@\B3$G$-$k>uBV$K$J$k!#(B

     In these Java implementations, the Applet Security Manager allows an
     applet to connect to any of the IP addresses associated with the name
     of the computer from which it came. This is a weaker policy than the
     stated policy and leads to the vulnerability described herein.

     $B$3$l$i$N(B Java $B$N<BAu$G$O!"(BApplet Security Manager $B$O(B applet $B$r%m!<%I$7(B
     $B$?%3%s%T%e!<%?$N%[%9%HL>$KBP1~$9$k(B IP $B%"%I%l%9$,$I$N$h$&$J%"%I%l%9$G$"$C(B
     $B$?$H$7$F$b%3%M%/%7%g%s$N3NN)$r5v$7$F$7$^$&!#$3$l$O!"Dj$a$i$l$?%]%j%7!<(B
     $B$h$j$b<e$/!"$=$N7k2L$3$3$G=R$Y$k%;%-%e%j%F%#>e$N<eE@$r>7$$$F$7$^$&!#(B

II.  Impact

II.  $B1F6A(B

     Java applets can connect to arbitrary hosts on the Internet, including
     those presumed to be previously inaccessible, such as hosts behind a
     firewall. Bugs in any TCP/IP-based network service can then be exploited.
     In addition, services previously thought to be secure by virtue of their
     location behind a firewall can be attacked.

     $B%m!<%I$5$l$?(B Java applet $B$O!"%$%s%?!<%M%C%H>e$NG$0U$N%[%9%H$X$N%3%M%/(B
     $B%7%g%s$N3NN)$,2DG=$J>uBV$K$J$k!#$=$NCf$K$O%U%!%$%"%&%)!<%k$NGX8e$K$"$k(B
     $B%[%9%H$N$h$&$KDL>o$O%"%/%;%9$,IT2DG=$H$J$C$F$$$k%[%9%H$b4^$^$l$k!#$3$l(B
     $B$K$h$j!"(BTCP/IP $B$K4p$E$$$?%M%C%H%o!<%/%5!<%S%9$N$5$^$6$^$J%P%0$r967b$9(B
     $B$k$3$H$,2DG=$G$"$k!#2C$($F!"%U%!%$%"%&%)!<%k$NGX8e$K$"$k$?$a0BA4$G$"$k(B
     $B$H9M$($i$l$F$$$?%5!<%S%9$,!"967b$K$5$i$5$l$k!#(B

III. Solution

III. $BBP:v(B

     To fix this problem, the Applet Security Manager must be more strict
     in deciding which hosts an applet is allowed to connect to. The Java
     system needs to take note of the actual IP address that the applet truly
     came from (getting that numerical address from the applet's packets as
     the applet is being loaded), and thereafter allow the applet to connect
     only to that same numerical address.

     $B$3$NLdBj$r2r7h$9$k$?$a$K$O!"(Bapplet $B$,@\B3$G$-$k%[%9%H$N7hDj$r(B Applet
     Security Manager $B$,$b$C$H87L)$K9T$o$J$1$l$P$J$i$J$$!#(BJava $B$N%7%9%F%`$O!"(B
     applet $B$r<B:]$K%m!<%I$7$F$-$?(B IP $B%"%I%l%9$KCmL\$9$kI,MW$,$"$k(B (applet
     $B$r%m!<%I$9$k:]$K(B applet $B$rE>Aw$9$k%Q%1%C%H$N(B IP $B%"%I%l%9$NCM$rF@$kI,MW(B
     $B$,$"$k(B)$B!#(B $B$=$N8e!"(Bapplet $B$,$=$N(B IP $B%"%I%l%9$@$1$K%3%M%/%7%g%s$r3NN)$G(B
     $B$-$k$h$&$K$9$kI,MW$,$"$k!#(B

     We urge you to obtain vendor patches as they become available.
     Until you can install the patches that implement the more strict
     applet connection restrictions, you should apply the workarounds
     described in each section below.

     $BMxMQ2DG=$K$J$j<!Bh%Y%s%@$+$i$N%Q%C%A$rF~<j$9$k$3$H$rMW@A$9$k!#(Bapplet
     $B$N%3%M%/%7%g%s@)8B$r$h$j87L)$K<B8=$9$k%Q%C%A$r%$%s%9%H!<%k$9$k$^$G$O!"(B
     $B0J2<$N@a$G=R$Y$kBP:v$r9V$8$k$Y$-$G$"$k!#(B

     A. Netscape users

     A. Netscape $B$N%f!<%6(B

        For Netscape Navigator 2.0, use the following URL to learn more about
        the problem and how to download and install a patch:

        Netscape Navigator 2.0 $B$K$D$$$F$O!"LdBj$NFbMF$H%Q%C%A$NF~<j$*$h$S%$(B
        $B%s%9%H!<%kJ}K!$rCN$k$?$a$K0J2<$N(B URL $B$r;2>H$9$k$3$H!#(B

            http://home.netscape.com/newsref/std/java_security.html

        Until you install the patch, disable Java using the "Security
        Preferences" dialog box.

        $B$3$N%Q%C%A$r%$%s%9%H!<%k$9$k$^$G$O!"(BSecurity Preferences $B$N%@%$%"%m(B
        $B%0$G(B Java $B$r;HMQITG=$K$9$k$3$H!#(B


     B. Sun users

     B. Sun $B%f!<%6(B

        A patch for Sun's HotJava will be available soon.

        Sun $B$N(B HotJava $B$X$N%Q%C%A$,6aF|Cf$KMxMQ2DG=$H$J$k!#(B

        Until you can install the patch, disable applet downloading by
        selecting "Options" then "Security...". In the "Enter desired security
        mode" menu, select the "No access" option.

        $B%Q%C%A$r%$%s%9%H!<%k$9$k$^$G$O!"%a%K%e!<$+$i(B "Options" $B$N(B
        "Security..." $B$rA*$S(B applet $B$N%@%&%s%m!<%I$r;HMQITG=$K$9$k$3$H!#(B
        "Enter desired security mode" $B%a%K%e!<$G(B "No access" $B$rA*$V$H$h$$!#(B

        In addition, select the "Apply security mode to applet loading" to
        disable applet loading entirely, regardless of the source of the
        applet.

        $B2C$($F!"(B"Apply security mode to applet loading" $B$rA*$S!"$$$+$J$k%[(B
        $B%9%H$+$i$b(B applet $B$r%m!<%I$G$-$J$$$h$&$K$9$k$3$H!#(B


     C. Both Netscape and Sun users

     C. Netscape $B$H(B Sun $B%f!<%6(B

        If you operate an HTTP proxy server, you could also disable
        applets by refusing to fetch Java ".class" files.

        HTTP $B$NBeM}%5!<%P$r4IM}$7$F$$$k$J$i$P!"(BJava $B$N(B ".class" $B%U%!%$%k$N(B
        $BE>Aw$r5qH]$9$k$3$H$G!"(B applet $B$r;HMQITG=$K$G$-$k!#(B


- ---------------------------------------------------------------------------
The CERT Coordination Center thanks Drew Dean, Ed Felton, and Dan Wallach of
Princeton University for providing information for this advisory. We thank
Netscape Communications Corporation, especially Jeff Truehaft, and Sun
Microsystems, Inc., especially Marianne Mueller, for their response to this
problem.
- ---------------------------------------------------------------------------

- ---------------------------------------------------------------------------
CERT $B%3!<%G%#%M!<%7%g%s%;%s%?!<$O!"$3$N4+9p$K4X$9$k>pJs$rDs6!$7$F$$$?$@$$$?(B
Princeton $BBg3X$N(B Drew Dean $B;a$H(B Ed Felton $B;a!"(BDan Wallach $B;a$K46<U$9$k!#$=(B
$B$7$F!"$3$NLdBj$KBP1~$7$F$$$?$@$$$?(B Netscape Communications Corporation $BFC$K(B
Jeff Truehaft $B;a!"(BSun Microsystems, Inc. $BFC$K(B Marianne Mueller $B;a$K46<U$9$k!#(B
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

$B$b$7!"<+J,$N%5%$%H$N%7%9%F%`$,?/F~$5$l$?$H;W$C$?$H$-$O!"(BCERT $B%3!<%G%#%M!<%7%g(B
$B%s%;%s%?!<!"$"$k$$$O6a$/$N(B FIRST (Forum of Incident Response and Security
Teams) $B2CLA%A!<%`$KO"Mm$7$FM_$7$$!#(B

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact the
CERT staff for more information.

$BEE;R%a!<%k$G=EMW$J>pJs$rAw$k$H$-$O!"0E9f2=$9$k$3$H$r6/$/MW@A$9$k!#(BCERT $B%3!<(B
$B%G%#%M!<%7%g%s%;%s%?!<$O!"(BDES $B$H(B PGP $B$r;HMQ$G$-$k!#>\:Y$O(B CERT $B%9%?%C%U$KLd(B
$B$$9g$o$;$FM_$7$$!#(B

Location of CERT PGP key

CERT $B$N(B PGP $B8x3+80$NF~<j>l=j(B
         ftp://info.cert.org/pub/CERT_PGP.key

CERT Contact Information
- ------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT $B$X$N%3%s%?%/%HJ}K!(B
- -----------------------
$BEE;R%a!<%k(B  cert@cert.org

$BEEOC(B        +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

$B%U%!%C%/%9(B  +1 412-268-6989

$B=;=j(B
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to

CERT $B4+9p$H8xJs$rDs6!$9$k%a!<%j%s%0%j%9%H$r9XFI$7$?$$>l9g$O!"<!$N%"%I%l%9$K(B
$B<+J,$NEE;R%a!<%k%"%I%l%9$r=q$$$FAw$C$FM_$7$$!#(B
        cert-advisory-request@cert.org

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from

CERT $B$NH/9TJ8=q!"(BFIRST $B$K4X$9$k>pJs!"$=$NB>%;%-%e%j%F%#$K4X$9$k>pJs$O!"(B
anonymous FTP $B$K$h$j0J2<$+$iF~<j$G$-$k!#(B
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup

CERT $B4+9p$H8xJs$O!"(BUSENET $B$N<!$N%K%e!<%9%0%k!<%W$K$bEj9F$5$l$F$$$k!#(B
        comp.security.announce


- ------------------------------------------------------------------------------

Copyright 1996 Carnegie Mellon University. Conditions for use,
disclaimers, and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

Copyright 1996 Carnegie Mellon University. $B;HMQ>r7o!"LH@U;v9`!"%9%]%s%5!<$H(B
$B$N7@Ls$K4X$9$k>pJs$K$D$$$F$O!"(Bhttp://www.cert.org/legal_stuff.html $B$"$k$$$O(B
ftp://ftp.cert.org/pub/legal_stuff $B$+$iF~<j$G$-$k!#$b$7!"(BFTP $B$d(B web $B$K$h$k(B
$B%"%/%;%9$,IT2DG=$J>l9g$O!"(Bcert@cert.org $B08$K%a!<%k$rAw$C$FM_$7$$!#$=$N$H$-(B
$B$K$O%5%V%8%'%/%H9T$K(B "copyright" $B$H=q$/$3$H!#(B

CERT is registered in the U.S. Patent and Trademark Office.

CERT $B$O9g=09qFC5v>&I8D#$KEPO?:Q$_$G$"$k!#(B


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Sep. 24, 1997  Updated copyright statement

Aug. 30, 1996  Information previously in the README was inserted into the
               advisory.

Mar. 15, 1996  Introduction - added clarification on JavaScript and pointers to
               Netscape Version 2.01.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$B2~D{MzNr(B

1997$BG/(B9$B7n(B24$BF|(B  $BCx:n8"I=<($NItJ,$r99?7$7$?!#(B

1996$BG/(B8$B7n(B30$BF|(B  $B0JA0(B README $B$K5-:\$5$l$F$$$?>pJs$,$3$N4+9p$K@9$j9~$^$l$?!#(B

1996$BG/(B3$B7n(B15$BF|(B  $B=x>O(B - JavaScript $B$NLdBj$H$N6hJL$H(B Netscape $B%P!<%8%g%s(B 2.01
               $B$X$N%]%$%s%?$r2CI.$7$?!#(B


- ----------------------------------------------------------------------------
JPCERT/CC $B2~D{MzNr(B

2000$BG/(B8$B7n(B25$BF|(B  $B:G?7>pJs$N(B URL $B$N99?7(B
1999$BG/(B8$B7n(B9$BF|(B   $B%X%C%@$N8m;z$N=$@5!#(B
               $B%U%C%?$N99?7!#(B
1998$BG/(B2$B7n(B17$BF|(B  $B=iHG(B


====================== $B$3$NJ8=q$N<h07$K4X$9$kCm0U;v9`(B ======================

  $B$3$NJ8=q$O!"86Cx:n8"<T$+$iK]Lu$N5vBz$r<u$1!"(BJPCERT/CC $B$,FH<+$KK]Lu$7(B
$B$?J8=q$G$9!#$3$NK]LuJ8=q$r>&6HL\E*$K;HMQ$9$k$3$H$r6X;_$7$^$9!#$^$?(B
JPCERT/CC $B$N5vBz$J$/:FG[I[$9$k$3$H$r6X;_$7$^$9!#(B

  $BK]Lu$K$"$?$C$F$O!"8mLu$d8m2r$r@8$8$k$h$&$JI=8=$r$J$/$9$h$&$KEXNO$7$F(B
$B$*$j$^$9$,!"$b$7K|$,0lIT6q9g$r8+$D$1$?>l9g$K$O!"(BJPCERT/CC $B$K$4O"MmD:$1(B
$B$l$P9,$$$G$9!#$^$?!"$=$l0J30$K$b!"$3$NK]Lu$K4X$7$F<ALdEy$,$"$k>l9g$K$O!"(B
JPCERT/CC $B$K$4O"Mm$r$*4j$$CW$7$^$9!#O"Mm@h$O<!$NDL$j$G$9!#(B

        info@jpcert.or.jp


  $B$3$NK]LuJ8=q$O!"?o;~99?7$5$l$k2DG=@-$,$"$j$^$9$N$G!":G?7>pJs$K$D$$$F(B
$B$O!"<!$r;2>H$7$F$/$@$5$$!#(B

        http://www.jpcert.or.jp/tr/cert_advisories/

  $B$^$?K]LuJ8=q$N86J8=q$b?o;~99?7$5$l$k2DG=@-$,$"$j$^$9$N$G!"$=$A$i$b;2(B
$B>H$7$F$/$@$5$$!#K]LuJ8=q$H86J8=q$N%P!<%8%g%s$,0[$J$k>l9g$K$O!"86J8=q$,(B
$B:G?7>pJs$G$9!#(B

===================== JPCERT/CC $B$+$i$N$*CN$i$;$H$*4j$$(B =====================

  $BK\J8=q$G2r@b$7$?IT@5%"%/%;%9$b4^$a!"%$%s%?!<%M%C%H>e$G0z$-5/$3$5$l$k(B
$B$5$^$6$^$JIT@5%"%/%;%9$K4X$9$k>pJs$,$"$j$^$7$?$i!"(BJPCERT/CC $B=jDj$NJs9p(B
$BMM<0$K$45-:\$N$&$(!"4XO"$9$k%m%0%U%!%$%k$N%a%C%;!<%8$H$H$b$K!"<!$N%"%I(B
$B%l%9$^$G$*Aw$j$/$@$5$$!#(B

    info@jpcert.or.jp

  $BJs9pMM<0Ey!"(BJPCERT/CC $B$X$NO"MmJ}K!$K$D$-$^$7$F!">\$7$/$O<!$N(B URL $B$r(B
$B$4;2>H2<$5$$!#(B

    http://www.jpcert.or.jp/contact.html

  JPCERT/CC $B$KD:$$$?Js9p$O!"Js9p<T$NN;2r$J$7$K!"$=$N$^$^B>AH?%Ey$K3+<((B
$B$9$k$3$H$O$"$j$^$;$s!#(BJPCERT/CC $B$NAH?%35MW$K$D$-$^$7$F$O!"<!$N(B URL $B$r(B
$B$4;2>H$/$@$5$$!#(B

    http://www.jpcert.or.jp/

  JPCERT/CC $B$G$O!"IT@5%"%/%;%9$K4X$9$k>pJs$r?WB.$K$4Ds6!$9$k$?$a$K!"%a!<(B
$B%j%s%0%j%9%H$r3+@_$7$F$$$^$9!#EPO?$NJ}K!Ey!">\$7$/$O!"<!$N(B URL $B$r$4;2(B
$B>H$/$@$5$$!#(B

    http://www.jpcert.or.jp/announce.html

__________

$BCm(B: $B$3$NJ8=q$O!"IT@5%"%/%;%9$KBP$9$k0lHLE*$J>pJsDs6!$rL\E*$H$7$F$*$j!"FCDj(B
$B$N8D?M$dAH?%$KBP$9$k8DJL$N%3%s%5%k%F%#%s%0$,L\E*$G$O$"$j$^$;$s!#$=$N$?$a!"(B
$B8DJL$NLdBj$K4X$9$k$*Ld$$9g$o$;Ey$KI,$:$*Ez$($G$-$k$H$O8B$j$^$;$s!#$^$?!"$*(B
$BEz$($G$-$k>l9g$G$b$42sEz$,CY$l$k2DG=@-$,$"$j$^$9!#(B

JPCERT/CC $B$O!"$3$NJ8=q$K5-:\$5$l$?>pJs$NFbMF$,@53N$G$"$k$h$&EX$a$F$$$^$9$,!"(B
$B@53N@-$r4^$a0l@Z$NIJ<A$K$D$$$F$3$l$rJ]>ZCW$7$^$;$s!#$3$NJ8=q$K5-:\$5$l$?>p(B
$BJs$K4p$E$$$F!"5.J}$"$k$$$O5.AH?%$,$H$i$l$k9TF0!"$"$k$$$O$H$i$l$J$+$C$?9TF0(B
$B$K$h$C$F!"D>@\E*!"4V@\E*$^$?$O6vH/E*$K0z$-5/$3$5$l$?7k2L$KBP$7$F!"(BJPCERT/CC
$B$O2?$iJ]>ZCW$7$^$;$s!#(B

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQCVAwUBOaXnR4x1ay4slNTtAQHWvgP/SxistwRzJL7z65j1/cEsCN5BxWPVEv6u
zcL6b6xBSZ7nQJ4mRoK0UgWhJ67GAZpwkFdANJaLZeG0Uj6MGluCaJbsBf2b7iLR
LNttMoVv+7aoiP4q4t8zkM7Rw/hqMwy/xiZJkCs49IyBgYEdjNiHU6Iiq3r2dnMD
TaY4KozW++Q=
=gjuu
-----END PGP SIGNATURE-----