REPRINT: JAVA security risks on the Web

Subject: REPRINT: JAVA security risks on the Web
From: Chet Ensign <Chet_Ensign%LDS -at- NOTES -dot- WORLDCOM -dot- COM>
Date: Mon, 13 May 1996 09:23:20 -0500

As many of us are actively looking at the Web and the Internet as vehicles for
distributing interactive information resources, I'm reprinting this article
from Home Page Press, an online magazine, about security risks identified in
JAVA applets on the Web. Not only will we need to be aware of these in order to
protect ourselves, we also need to be aware of the topic so that we can discuss
it intelligently with our clients. (By the way, the article grants permission
for reprinting at the end.)

Best regards,


<-- REPRINT -->

Sun Microsystems' has declared war on Black Widow Java
applets on the Web. This is the message from Sun in response
to an extensive Online Business Consultant (OBC/May 96)
investigation into Java security.

OBC's investigation and report was prompted after renowned
academics, scientists and hackers announced Java applets
downloaded from the WWW presented grave security risks for
users. Java Black Widow applets are hostile, malicious traps set
by cyberthugs out to snare surfing prey, using Java as their technology.
OBC received a deluge of letters asking for facts after OBC
announced a group of scientists from Princeton University, Drew
Dean, Edward Felten and Dan Wallach, published a paper declaring
"The Java system in its current form cannot easily be made secure."
The paper can be retrieved at

Further probing by OBC found that innocent surfers on the Web who
download Java applets into Netscape's Navigator and Sun's
HotJava browser, risk having "hostile" applets interfere with their
computers (consuming RAM and CPU cycles). It was also discovered
applets could connect to a third party on the Internet and, without the
PC owner's knowledge, upload sensitive information from the user's
computer. Even the most sophisticated firewalls can be penetrated . . .
"because the attack is launched from behind the firewall," said the
Princeton scientists.

One reader said, "I had no idea that it was possible to stumble on
Web sites that could launch an attack on a browser." Another said,
"If this is allowed to get out of hand it will drive people away from the
Web. Sun must allay fears."

The response to the Home Page Press hostile applet survey led to the
analogy of Black Widow; that the Web was a dangerous place where
"black widows" lurked to snare innocent surfers. As a result the
Princeton group and OBC recommended users should "switch off"
Java support in their Netscape Navigator browsers. OBC felt that Sun
and Netscape had still to come clean on the security issues. But
according to Netscape's Product Manager, Platform, Steve Thomas,
"Netscape wishes to make it clear that all known security problems with
the Navigator Java and JavaScript environment are fixed in Navigator
version 2.02."

However, to date, Netscape has not answered OBC's direct questions
regarding a patch for its earlier versions of Navigator that supported
Java . . . the equivalent of a product recall in the 3D world. Netscape
admits that flaws in its browsers from version 2.00 upwards were
related to the Java security problems, but these browsers are still in use
and can be bought from stores such as CompUSA and Cosco. A floor
manager at CompUSA, who asked not to be named, said "its news to
him that we are selling defective software. The Navigator walks off our
floor at $34 a pop."

OBC advised Netscape the defective software was still selling at
software outlets around the world and asked Netscape what action was
going to be taken in this regard. Netscape has come under fire recently
for its policy of not releasing patches to software defects; but rather
forcing users to download new versions. Users report this task to be a
huge waste of time and resources because each download consists of
several Mbytes. As such defective Navigators don't get patched.

OBC also interviewed Sun's JavaSoft security guru, Ms. Marianne Mueller,
who said "we are taking security very seriously and working on it very
hard." Mueller said the tenet that Java had to be re-written from scratch or
scrapped "is an oversimplification of the challenge of running executable
content safely on the web. Security is hard and subtle, and trying to build
a secure "sandbox" [paradigm] for running untrusted downloaded applets
on the web is hard."

Ms. Mueller says Sun, together with their JavaSoft (Sun's Java division)
partners, have proposed a "sandbox model" for security in which "we
define a set of policies that restrict what applets can and cannot do---these
are the boundaries of the sandbox. We implement boundary checks---when
an applet tries to cross the boundary, we check whether or not it's allowed
to. If it's allowed to, then the applet is allowed on its way. If not, the
system throws a security exception.

"The 'deciding whether or not to allow the boundary to be crossed' is the
research area that I believe the Princeton people are working on," said
Mueller. "One way to allow applets additional flexibility is if the applet
is signed (for example, has a digital signature so that the identity of the
applet's distributor can be verified via a Certificate Authority) then allow
the applet more flexibility.

"There are two approaches: One approach is to let the signed applet
do anything. A second approach is to do something more complex and
more subtle, and only allow the applet particular specified capabilities.
Expressing and granting capabilities can be done in a variety of ways.

"Denial of service is traditionally considered one of the hardest security
problems, from a practical point of view. As [Java's creator] James
Gosling says, it's hard to tell the difference between an MPEG
decompressor and a hostile applet that consumes too many resources!
But recognizing the difficulty of the problem is not the same as 'passing
the buck.' We are working on ways to better monitor and control the
use (or abuse) of resources by Java classes. We could try to enforce
some resource limits, for example. These are things we are investigating.

"In addition, we could put mechanisms in place so that user interface
people (like people who do Web browsers) could add 'applet monitors'
so that browser users could at least see what is running in their browser,
and kill off stray applets. This kind of user interface friendliness (letting
a user kill of an applet) is only useful if the applet hasn't already grabbed
all the resources, of course."

The experts don't believe that the problem of black widows and hostile
applets is going to go away in a hurry. In fact it may get worse. The
hackers believe that when Microsoft releases Internet Explorer 3.00 with
support for Java, Visual Basic scripting and the added power of its
ActiveX technology, the security problem will become worse.

"There is opportunity for abuse, and it will become an enormous
problem," said Stephen Cobb, Director of Special Projects for the
National Computer Security Association (NCSA). "For example, OLE
technology from Microsoft [ActiveX] has even deeper access to a
computer than Java does."

JavaSoft's security guru Mueller agreed on the abuse issue: "It's going
to be a process of education for people to understand the difference
between a rude applet, and a serious security bug, and a theoretical
security bug, and an inconsequential security-related bug. In the case of
hostile applets, people will learn about nasty/rude applet pages, and
those pages won't be visited. I understand that new users of the Web
often feel they don't know where they're going when they point and click,
but people do get a good feel for how it works, pretty quickly, and I
actually think most users of the Web can deal with the knowledge that
not every page on the web is necessarily one they'd want to visit.
Security on the web in some sense isn't all that different from security
in ordinary life. At some level, common sense does come into play.

"Many people feel that Java is a good tool for building more secure
applications. I like to say that Java raises the bar for security on the
Internet. We're trying to do something that is not necessarily easy, but
that doesn't mean it isn't worth trying to do. In fact it may be worth
trying to do because it isn't easy. People are interested in seeing the
software industry evolve towards more robust software---that's the
feedback I get from folks on the Net."

# # #

The report above may be reprinted with credit provided as follows:

Home Page Press, Inc., and Online Business Consultant?
Please refer to the HPP Web site for additional information about Java and OBC.
............Home Page Press, Inc. home of Go.Fetch?
........Free TEXT version - Online Business Today email: obt -dot- text -at- hpp -dot- com
....Free PDF version - Online Business Today email: obt -dot- pdf -at- hpp -dot- com
OBC / Online Business Consultant, $595/year email: obc -at- hpp -dot- com

Post Message: TECHWR-L -at- LISTSERV -dot- OKSTATE -dot- EDU
Get Commands: LISTSERV -at- LISTSERV -dot- OKSTATE -dot- EDU with "help" in body.
Unsubscribe: LISTSERV -at- LISTSERV -dot- OKSTATE -dot- EDU with "signoff TECHWR-L"
Listowner: ejray -at- ionet -dot- net

Previous by Author: Program for extracting embedded graphics from FrameMaker files
Next by Author: SGML Forum of New York offers SGML seminar
Previous by Thread: Re: Thank you, LaVonna and Kim!
Next by Thread: (Really) Brief survey

What this post helpful? Share it with friends and colleagues:

Sponsored Ads

Sponsored Ads