9.613 Java security problem

Humanist (mccarty@phoenix.Princeton.EDU)
Fri, 8 Mar 1996 23:09:54 -0500 (EST)

Humanist Discussion Group, Vol. 9, No. 613.
Center for Electronic Texts in the Humanities (Princeton/Rutgers)
Information at http://www.princeton.edu/~mccarty/humanist/

[1] From: Andrew Burday <andy@dep.philo.mcgill.ca> (45)
Subject: Re: 9.610 JavaScript vs. Java

On Wed, 6 Mar 1996, Humanist [in the person of John Loverso] wrote:

> [1] From: John Robert LoVerso <loverso@osf.org> (3)
> > strasbg.fr/arc/msg00004.html
> Someone responsible for the forwarded message at the above URL is incorrectly
> calling this a Java security problem. Everything referenced there has to
> do with JavaScript, which is a different language than Java.

I checked this URL, and it currently points to a message regarding the
Symantec Cafe developer's kit. I assume that LoVerso (who documented
one of the holes in javascript, which is different from java) was
referring to an earlier Humanist message which did conflate java and
javascript. (A search for 'java' in the archives turned it up...
Something like 9.606.)

BUT: Humanists should be aware that there is a (known) security hole in
java (in addition to at least one other in javascript). A java applet
running on your computer is supposed to be able to access no OTHER
computer on the net except the computer from which you downloaded it.
However, there is a bug that would make it fairly easy to get around this.
One malicious use for this bug would be to subvert firewalls. An applet
would be downloaded from the Internet to the "inside" of the firewall,
where it would gather information or try to break into systems which ought
to be protected by the firewall. If you are behind a firewall and your
MIS or computing centre people have recently disabled java by preventing
applets from crossing the firewall, this is probably why.

The bug was discovered by researchers at Princeton (and independently
suggested but apparently not demonstrated by some guy in Arizona), and
has been the subject of a recent CERT advisory. I'm sorry I don't have
the relevant URLs in front of me, but an Alta Vista search would turn
them up. The earlier message on Humanist mentioned


which is indeed helpful.

In general, what this shows is that Burns's line about the best-laid
plans still holds, even for the very smart people at SunSoft. It is
going to be interesting to watch the competition between good guys and bad
guys as java becomes more popular. Hopefully the good guys will (mostly)
stay ahead of the bad guys...


Andrew Burday
andy@philo.mcgill.ca http://www.philo.mcgill.ca/
"What's the use of elaborating what, in its very essence, is so
short-lived as a modern book?"
Melville to Hawthorne, while struggling to complete _Moby Dick_