FW: More Java Security Problems [LOOOOOOONG!] (fwd)

Subject: FW: More Java Security Problems [LOOOOOOONG!] (fwd)
From: Paula Puffer <techwrtr -at- CEI -dot- NET>
Date: Fri, 10 May 1996 12:36:42 -0500


I got this from another list, but I thought I would forward it to this list since several of us do WWW stuff

techwrtr -at- cei -dot- net

From: Steve Krause[SMTP:skrause -at- bgnet -dot- bgsu -dot- edu]
Sent: Friday, May 10, 1996 10:04 AM
To: Multiple recipients of list
Subject: FYI: More Java Security Problems [LOOOOOOONG!] (fwd)

I got this from a computer geek friend of mine and I thought it might be
interesting/concerning to many of us here.

From ??? -at- ??? Sun Jan 00 00:00:00 0000====
Steve Krause * Department of English * Bowling Green State University
Bowling Green, OH * 43403 * (419) 372-8934 *skrause -at- bgnet -dot- bgsu -dot- edu
*Soon to be at Southern Oregon State College in Ashland, OR*
From ??? -at- ??? Sun Jan 00 00:00:00 0000====

---------- Forwarded message ----------

Mark Ladue's Hostile Applet's Page

Internet Java Resources and Pointers

------ Forwarded Message
------ Forwarded Message
Found this today. For those of you with time constraints, the text is
online at the Macinstuff Times, http://www.informedusa.com/t/mactimes.html.


"Deadly Black Widow on the Web: Her Name is JAVA"

"Don't trust Java online" That's the message from computer and Internet
watchdogs, in response to reports that "hostile" Java applets are stalking
the WWW. These malicious applets can destroy data, interfere with mission
critical intranets, and gain access to sensitive data.

"The situation is scary," said Stephen Cobb, Director of Special Projects
for the National Computer Security Association (NCSA). "Software companies
are releasing products on the Internet without even considering the hacker
perspective. Enterprise IT managers have to understand there is a real
danger allowing users to freely access the WWW. They have to set up policy
now to prevent users from downloading malicious applets and viruses. Users
should only be allowed to access trusted domains and Web sites."

According to the NCSA, "a malicious 'applet' can be written to perform any
action that the legitimate user can do. The security enhancements announced
by Sun Microsystems and Netscape do not fix this flaw CERT (Computer
Emergency Response Teams) recommends disabling Java in Netscape Navigator
[only Netscape browsers are at issue] and not use Sun's 'appletviewer' to
browse untrusted web sites until patches are made available from the
vendors." The warnings apply to Netscape Navigator 2.0 and 2.01, and Sun's
HotJava browser.

And according to a white paper being released by researchers at Princeton
University, "The Java system in its current form canno easily be made
secure." The scientists, Drew Dean, Edward Felten and Dan Wallach, will
present their white paper at the 1996 IEEE Symposium on Security, which
starts in California Monday, May 6.

According to the scientists, and other sources interviewed by Online Business
Consultant (OBC), innocent surfers on the Web who download Java applets into
Netscape's Navigator and Sun's HotJava browser, risk having "hostile" applets
interfere with their computers (consuming RAM and CPU cycles) or, worse,
having an applet connect to a third party on the Internet to upload
sensitive information from the user's computer.

The scientists say that even firewalls, software designed to fence-off LANs
and Intranets from cyberthugs, are ineffective against the malicious Java
code . . . "because the attack is launched from behind the firewall."

This information was made public some weeks back. However, the browsing
and particularly online business users, are ignoran of the Java risks. In a
survey conducted by OBC the vast majority of Netscape users had no idea
that Java applets presented a grave risk, and many felt the proponents of
Java as an Internet technology, particularly Sun Microsystems, Inc. and
Netscape Communications Corporation, were not paying enough attention to
the issue. "I have to report this information to my senior executives,"
said one IT manager. "They are especially anxious to have clarity on the
(Java) security issue."

"They are hoping the security issues will just go away," said another
responder, one of the few who has researched the security issue. "But it
will not. The hackers will continue to find the loopholes and exploit the

OBC also interviewed hackers who have designed Java applets to turn
cancerous at a future date. Said one hacker: "Even legitimate Java applets
can be targeted on the Web and attacked. I have written a Java virus that
changes one line of code in a Java applet to render it useless." [A sample
of this type of hostile code is included in the complete Java report in the
May issue of OBC]

A computer security expert, Mark Ladue, has set up a "Hostile Applets"site
on the Internet. The site is a free service to alert business to the
potential dangers. "I've read that article by Dean, Felten, and Wallach,
and I agreed with what they had to say as far as they went, but I would
paint the picture a little more darkly. It's to the business community that
they (Java applets) pose the most serious threat."

Back in March the Princeton group released the following Java report to Sun
Microsystems, Netscape and Cern: "We have discovered a serious security
with Netscape Navigator's 2.0 Java implementation. [The problem is also
present in the 1.0 release of the Java Development Kit from Sun] An applet
is normally allowed to connect only to the host from which it was loaded.
However, this restriction is not properly enforced. A malicious applet can
open a connection to an arbitrary host on the Internet.At this point, bugs
in any TCP/IP-based
network service can be exploited. We have implemented (as a proof of concept)
exploitation of an old sendmail bug [to reproduce the problem].

Sun issued a patch that plugs the possibility of "spoofing." Netscape
modified its software (in version 2.00). However, Netscape's Navigator is
readily available in stores and countless millions of World Wide Web users
have no idea they are at serious risk. To date OBC has been unable to
obtain official response from Sun or Netscape. The following security claim
is extracted
from their original white paper on Java:

"Java is intended to be used in networked/distributed environments. Toward
that end, a lot of emphasis has been placed on security. Java enables the
construction of virus-free, tamper-free systems. The authentication
techniques are based on public-key encryption."

However, the Princeton group states otherwise, "If the user viewing the
(Java) applet is behind a firewall, this attack can be used against any
other machine behind the same firewall. The firewall will fail to defend
against (Java) attacks on internal networks, because the attack originates
behind the firewall.

"The immediate fix for this problem is to disable Java from Netscape's
Preferences' dialog. An HTTP proxy server could also disable Java applets
by refusing to fetch Java '.class' files. We've sent a more detailed
description of this bug to CERT, Sun, and Netscape."

In light of this information, OBC feels it is prudent to avoid using the
Netscape Navigator browsers and logging on to insecure Java sites on the
Internet until complete safety can be confirmed.

The complete Java report in the May issue of OBC also exposes the mounting
dangers of email being attacked by "Trojan horse" Java applets.


------ End of Forwarded Message

------ End of Forwarded Message

Post Message: TECHWR-L -at- LISTSERV -dot- OKSTATE -dot- EDU
Get Commands: LISTSERV -at- LISTSERV -dot- OKSTATE -dot- EDU with "help" in body.
Unsubscribe: LISTSERV -at- LISTSERV -dot- OKSTATE -dot- EDU with "signoff TECHWR-L"
Listowner: ejray -at- ionet -dot- net

Previous by Author: Long Web page or short multiple pages? (was Re: Students & Web pages)
Next by Author: A question about gaining technical skills.
Previous by Thread: Style Guide & Industry Query
Next by Thread: CHAT: "wheat from the chaff."

What this post helpful? Share it with friends and colleagues:

Sponsored Ads