Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Deadly Black Widow on the Web (fwd)

From: Dave Farber <farber () central cis upenn edu>
Date: Mon, 06 May 1996 14:40:38 -0400
I neither endorse or not endorce this one -- djf




Date: Sun, 5 May 1996 17:29:16 -0400 (EDT)
From: Home Page Press, Inc. <staff () hpp com>
To: java () hpp com
Subject: Warning: Deadly Black Widow on the Web


Deadly Black Widow on the Web:
Her Name is JAVA


"Don't trust Java online" That's the message from computer
and Internet security watchdogs, in response to reports that
"hostile" Java applets are stalking the WWW. These malicious
applets can destroy data, interfere with mission critical intranets,
and gain access to sensitive data.


"The situation is scary," said Stephen Cobb, Director of Special
Projects for the National Computer Security Association (NCSA).
"Software companies are releasing products on the Internet without
even considering the hacker perspective. Enterprise IT managers
have to understand there is a real danger allowing users to freely
access the WWW. They have to set up policy now to prevent users
from downloading malicious applets and viruses. Users should only
be allowed to access trusted domains and Web sites."


According to the NCSA, "a malicious 'applet' can be written to
perform any action that the legitimate user can do. The security
enhancements announced by Sun Microsystems and Netscape do not
fix this flaw CERT (Computer Emergency Response Teams)
recommends disabling Java in Netscape Navigator [only Netscape
browsers are at issue] and not use Sun's 'appletviewer' to browse
untrusted web sites until patches are made available from the
vendors." The warnings apply to Netscape Navigator 2.0 and 2.01,
and Sun's HotJava browser.


And according to a white paper being released by researchers at
Princeton University, "The Java system in its current form cannot
easily be made secure." The scientists, Drew Dean, Edward Felten
and Dan Wallach, will present their white paper at the 1996 IEEE
Symposium on Security, which starts in California Monday, May 6.


According to the scientists, and other sources interviewed by Online
Business Consultant (OBC), innocent surfers on the Web who download
Java applets into Netscape's Navigator and Sun's HotJava browser, risk
having "hostile" applets interfere with their computers (consuming RAM
and CPU cycles) or, worse, having an applet connect to a third party on
the Internet to upload sensitive information from the user's computer.


The scientists say that even firewalls, software designed to fence-off
LANs and Intranets from cyberthugs, are ineffective against the malicious
Java code . . . "because the attack is launched from behind the firewall."


This information was made public some weeks back. However, the
browsing public, and particularly online business users, are ignorant
of the Java risks. In a survey conducted by OBC the vast majority of
Netscape users had no idea that Java applets presented a grave risk,
and many felt the proponents of Java as an Internet technology,
particularly Sun Microsystems, Inc. and Netscape Communications
Corporation, were not paying enough attention to the issue.  "I have to
report this information to my senior executives," said one IT manager.
"They are especially anxious to have clarity on the (Java) security issue."


"They are hoping the security issues will just go away," said another
responder, one of the few who has researched the security issue. "But it
will not. The hackers will continue to find the loopholes and exploit
the opportunities."


OBC also interviewed hackers who have designed Java applets to turn
cancerous at a future date. Said one hacker: "Even legitimate Java applets
can be targeted on the Web and attacked. I have written a Java virus that
changes one line of code in a Java applet to render it useless." [A sample
of this type of hostile code is included in the complete Java report in the
May issue of OBC]


A computer security expert, Mark Ladue, has set up a "Hostile Applets"
site on the Internet. The site is a free service to alert business to the
potential dangers. "I've read that article by Dean, Felten, and Wallach, and
I agreed with what they had to say as far as they went, but I would paint
the picture a little more darkly. It's to the business community that they
(Java applets) pose the most serious threat."


Back in March the Princeton group released the following Java report to
Sun Microsystems, Netscape and Cern: "We have discovered a serious
security problem with Netscape Navigator's 2.0 Java implementation.
[The problem is also present in the 1.0 release of the Java Development Kit
from Sun] An applet is normally allowed to connect only to the host from
which it was loaded. However, this restriction is not properly enforced. A
malicious applet can open a connection to an arbitrary host on the Internet.
At this point, bugs in any TCP/IP-based network service can be exploited.
We have implemented (as a proof of concept) an exploitation of an old
sendmail bug [to reproduce the problem].


Sun issued a patch that plugs the possibility of "spoofing."  Netscape
modified its software (in version 2.00).  However, Netscape's Navigator is
readily available in stores and countless millions of World Wide Web users
have no idea they are at serious risk. To date OBC has been unable to obtain
official response from Sun or Netscape. The following security claim is
extracted from their original white paper on Java:


"Java is intended to be used in networked/distributed environments. Toward
that end, a lot of emphasis has been placed on security. Java enables the
construction of virus-free, tamper-free systems. The authentication=
 techniques
are based on public-key encryption."


However, the Princeton group states otherwise, "If the user viewing the
(Java) applet is behind a firewall, this attack can be used against any=
 other
machine behind the same firewall. The firewall will fail to defend against
(Java) attacks on internal networks, because the attack originates behind=
 the
firewall.


"The immediate fix for this problem is to disable Java from Netscape's
'Security Preferences' dialog. An HTTP proxy server could also disable
Java applets by refusing to fetch Java '.class' files. We've sent a more
detailed
description of this bug to CERT, Sun, and Netscape."


In light of this information, OBC feels it is prudent to avoid using the
Netscape Navigator browsers and logging on to insecure Java sites on the
Internet until complete safety can be confirmed.


The complete Java report in the May issue of OBC also exposes the
mounting dangers of email being attacked by "Trojan horse" Java applets.




# # #


The report above may be reprinted with credit provided as follows:


Home Page Press, Inc.,  http://www.hpp.com  and Online Business Consultant=
=99
Please refer to the HPP Web site for additional information about Java and=
 OBC.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
............Home Page Press, Inc.   http://www.hpp.com   home of Go.Fetch=99
........Free TEXT version - Online Business Today email: obt.text () hpp com
....Free PDF version - Online Business Today email: obt.pdf () hpp com
OBC / Online Business Consultant, $595/year email: obc () hpp com
Previous By Date Next
Previous By Thread Next

Current thread: