Interesting People mailing list archives
IP: this is getting boring -- lock the edoors
From: Dave Farber <farber () central cis upenn edu>
Date: Sat, 18 May 1996 09:19:22 -0400
Sun said it intends to fix the problem by adding ways of monitoring and limiting how much memory is used by its miniprograms, called applets. The company said it has known about the problem since Java was introduced in January. Rogue Java roaming Net No crashes documented yet from hostile programs Published: May 17, 1996 Mercury News Wire Services Sun Microsystems Inc.'s popular computer language, Java, could expose Internet users to an unexpected risk -- rogue programs that can take over a computer and cause it to crash. Java lets computer users download programs from the Internet and immediately start running them on their computers. But researchers at Princeton University said it is possible to write hostile Java programs that use all the computer's processing capacity and cause it to malfunction. The problem was brought to light by Home Page Press, a Fort Lauderdale, Fla.-based technology consultant that published the findings on the Internet. Sun subsequently posted a warning on the World Wide Web. Sun said it intends to fix the problem by adding ways of monitoring and limiting how much memory is used by its miniprograms, called applets. The Mountain View company said it has known about the problem since Java was introduced in January. Edward W. Felten, assistant professor of computer science at Princeton, said such hostile programs would do no permanent damage to data stored on the computer. And there is no record of a computer being attacked by a hostile Java programs. But he said computer users should be concerned. ''People should always be aware when they are using the Internet that there is something that could go wrong,'' said Felten. The Java language has been hailed as a crucial development in computer networking. Unlike programs written in other languages, Java software can be run on many kinds of computers without any changes. In theory, an IBM personal computer, an Apple Macintosh or a Unix workstation could each run the same Java program, and a Java program stored on a network could be run by any computer connected to that network. Many sites on the Internet's World Wide Web have built-in Java applets that are fed into any computer visiting the site. If the computer has a Netscape Navigator browser, it will automatically run Java. Sun added security features to ensure that someone can't write a program that would automatically erase or alter computer files. But, Felten noted, ''They have not implemented any way of controlling the amount of a resource, such as the processor or the memory, that a Java program uses.'' So a rogue Java program could seize control of the computer. In some cases, it might be necessary to turn off the computer to regain control, and that would mean a loss of information stored in the computer's memory. Marianne Mueller, a Sun engineer, said her firm is working with Felten and other experts to resolve the problem. She wants to design a feature that would let the computer user set a limit on the amount of memory or processing power that can be used by any Java program. ''We need to put in mechanisms that we can give that control to the user,'' Mueller said. Jeff Treuhaft, director of security products for Netscape Communications Corp., says his company is aware of the problem, and hopes to fix it by installing a system of ''digital signatures.'' Every Java program would identify itself to the Netscape Navigator browser before a computer would run it. Programs from suspect sources would be rejected. Treuhaft said the risk of rogue Java programs is slight. But he said users could avoid risk by switching off the Java function in their browsers. Treuhaft warned that traveling the Web would never be entirely risk-free. ''The Net,'' he said, ''is not a Shangri-la."
Current thread:
- IP: this is getting boring -- lock the edoors Dave Farber (May 18)