Board index » delphi » Warning: "Don't trust Java online" - Deadly Black Widow

Warning: "Don't trust Java online" - Deadly Black Widow

***NOTE*** When I read this I noticed no mention of Microsofts
Internet Explorer and I *think* it is Java enabled.

Date: Sun, 5 May 1996 17:29:16 -0400 (EDT)
=46rom: Home Page Press, Inc. <st...@hpp.com>
To: j...@hpp.com
Subject: Warning: Deadly Black Widow on the Web

Deadly Black Widow on the Web:
Her Name is JAVA

"Don't trust Java online" That's the message from computer
and Internet security watchdogs, in response to reports that
"hostile" Java applets are stalking the WWW. These malicious
applets can destroy data, interfere with mission critical intranets,
and gain access to sensitive data.

"The situation is scary," said Stephen Cobb, Director of Special
Projects for the National Computer Security Association (NCSA).
"Software companies are releasing products on the Internet without
even considering the hacker perspective. Enterprise IT managers
have to understand there is a real danger allowing users to freely
access the WWW. They have to set up policy now to prevent users
from downloading malicious applets and viruses. Users should only
be allowed to access trusted domains and Web sites."

According to the NCSA, "a malicious 'applet' can be written to
perform any action that the legitimate user can do. The security
enhancements announced by Sun Microsystems and Netscape do not
fix this flaw CERT (Computer Emergency Response Teams)
recommends disabling Java in Netscape Navigator [only Netscape
browsers are at issue] and not use Sun's 'appletviewer' to browse
untrusted web sites until patches are made available from the
vendors." The warnings apply to Netscape Navigator 2.0 and 2.01,
and Sun's HotJava browser.

And according to a white paper being released by researchers at
Princeton University, "The Java system in its current form cannot
easily be made secure." The scientists, Drew Dean, Edward Felten
and Dan Wallach, will present their white paper at the 1996 IEEE
Symposium on Security, which starts in California Monday, May 6.

According to the scientists, and other sources interviewed by Online
Business Consultant (OBC), innocent surfers on the Web who download
Java applets into Netscape's Navigator and Sun's HotJava browser, risk
having "hostile" applets interfere with their computers (consuming RAM
and CPU cycles) or, worse, having an applet connect to a third party
on
the Internet to upload sensitive information from the user's computer.

The scientists say that even firewalls, software designed to fence-off
LANs and Intranets from {*word*104}thugs, are ineffective against the
malicious
Java code . . . "because the attack is launched from behind the
firewall."

This information was made public some weeks back. However, the
browsing public, and particularly online business users, are ignorant
of the Java risks. In a survey conducted by OBC the vast majority of
Netscape users had no idea that Java applets presented a grave risk,
and many felt the proponents of Java as an Internet technology,
particularly Sun Microsystems, Inc. and Netscape Communications
Corporation, were not paying enough attention to the issue.  "I have
to
report this information to my senior executives," said one IT manager.
"They are especially anxious to have clarity on the (Java) security
issue."

"They are hoping the security issues will just go away," said another
responder, one of the few who has researched the security issue. "But
it
will not. The hackers will continue to find the loopholes and exploit
the opportunities."

OBC also interviewed hackers who have designed Java applets to turn
cancerous at a future date. Said one hacker: "Even legitimate Java
applets
can be targeted on the Web and attacked. I have written a Java virus
that
changes one line of code in a Java applet to render it useless." [A
sample
of this type of hostile code is included in the complete Java report
in the
May issue of OBC]

A computer security expert, Mark Ladue, has set up a "Hostile Applets"
site on the Internet. The site is a free service to alert business to
the
potential dangers. "I've read that article by Dean, Felten, and
Wallach, and
I agreed with what they had to say as far as they went, but I would
paint
the picture a little more darkly. It's to the business community that
they
(Java applets) pose the most serious threat."

Back in March the Princeton group released the following Java report
to
Sun Microsystems, Netscape and Cern: "We have discovered a serious
security problem with Netscape Navigator's 2.0 Java implementation.
[The problem is also present in the 1.0 release of the Java
Development Kit
from Sun] An applet is normally allowed to connect only to the host
from
which it was loaded. However, this restriction is not properly
enforced. A
malicious applet can open a connection to an arbitrary host on the
Internet.
At this point, bugs in any TCP/IP-based network service can be
exploited.
We have implemented (as a proof of concept) an exploitation of an old
sendmail bug [to reproduce the problem].

Sun issued a patch that plugs the possibility of "spoofing."  Netscape
modified its software (in version 2.00).  However, Netscape's
Navigator is
readily available in stores and countless millions of World Wide Web
users
have no idea they are at serious risk. To date OBC has been unable to
obtain
official response from Sun or Netscape. The following security claim
is
extracted from their original white paper on Java:

"Java is intended to be used in networked/distributed environments.
Toward
that end, a lot of emphasis has been placed on security. Java enables
the
construction of virus-free, tamper-free systems. The authentication
techniqu=
es
are based on public-key encryption."

However, the Princeton group states otherwise, "If the user viewing
the
(Java) applet is behind a firewall, this attack can be used against
any othe=
r
machine behind the same firewall. The firewall will fail to defend
against
(Java) attacks on internal networks, because the attack originates
behind th=
e
firewall.

"The immediate fix for this problem is to disable Java from Netscape's
'Security Preferences' dialog. An HTTP proxy server could also disable
Java applets by refusing to fetch Java '.class' files. We've sent a
more
detailed
description of this bug to CERT, Sun, and Netscape."

In light of this information, OBC feels it is prudent to avoid using
the
Netscape Navigator browsers and logging on to insecure Java sites on
the
Internet until complete safety can be confirmed.

The complete Java report in the May issue of OBC also exposes the
mounting dangers of email being attacked by "Trojan horse" Java
applets.

# # #

The report above may be reprinted with credit provided as follows:

Home Page Press, Inc.,  http://www.hpp.com  and Online Business
Consultant

Eric Miles
e...@pobox.com
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
My opinions and comments are my own and ONLY
my own and reflect in no way my employer's.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

 

Re:Warning: "Don't trust Java online" - Deadly Black Widow


Quote
On Tue, 07 May 1996 12:26:43 GMT, e...@pobox.com (Eric Miles) wrote:
>***NOTE*** When I read this I noticed no mention of Microsofts
>Internet Explorer and I *think* it is Java enabled.

>Date: Sun, 5 May 1996 17:29:16 -0400 (EDT)
>=46rom: Home Page Press, Inc. <st...@hpp.com>
>To: j...@hpp.com
>Subject: Warning: Deadly Black Widow on the Web

>Deadly Black Widow on the Web:
>Her Name is JAVA

A couple of things to add (though this is just a bit off-topic):

1. Internet Explorer is NOT Java enabled in version 2.0
   I do not know about the forthcoming version 3.0

2. It is not only Java but also JavaSCRIPT which causes
   major trouble. JavaScript is something Netscape invented,
   probably to have something out against MS Visual Basic
   on the Internet.

3. If you are eager to learn more about security problems
   on the WWW, currently mostly concerned with the various
   version of Netscape's Navigator, take a look at the
   (moderated) newsgroup "comp.risks".

   Read a couple of articles there and you will immediately
   turn on every warning and off every Java option in
   Netscape Navigator you can find.

Happy browsing <grin>

Stefan
--
Stefan Hoffmeister  (Stefan.Hoffmeis...@Uni-Passau.de)
University of Passau, Bavaria, Germany

Re:Warning: "Don't trust Java online" - Deadly Black Widow


Eric, if you're an innocent particpant in the distribution of this... uh...
information, I apologize in advance for the following message. (Obviously, all of my
comments here represent MY opinion, and not that of my company. However, anyone at my
company with any sense should share these opinions so... :->)

Quote
> From: Home Page Press, Inc. <st...@hpp.com>
> To: j...@hpp.com

Hmm...

Interesting closing quotes from the page [http://www.hpp.com/1obc.html] referenced in
this article (my comments appear in <>):

 What exactly is the future of JAVA software in 1996, 1997 and beyond?
  <You mean, this report will tell us?>
 What's been reported that's hype and what will be real for the Internet?
  <Wow! These guys are incredible! Will my teeth be whiter too?>
 What will be JAVA's impact on other software companies?
  <Like, MS perhaps?>
 What other types of businesses will be affected by JAVA and how?
 Why is Microsoft? in the best position of all?
  <The golden rule--whoever has the gold makes the rules?>
 Why you should buy Microsoft? stock now...and keep buying all year long.
  <To help buy baby clothes for BG's '96 release?>

<sarcasm mode ON>
Hmm... why no... this doesn't sound suspicious to me! Yes, it seems to badmouth
Netscape (who've discussed these and other Java security issues on their home page)
and Java (Sun's also mentioned these issues), and it does paint a rather nice picture
of MS riding up on the white horse... and yes, MS stands to lose if Java and/or
Netscape have large scale success.

But my oh my. Why should I be suspicious of the unbiased nature of this article?
After all, I'll be too busy counting the profits from my MS Stock!

<sarcasm mode OFF>

;->

BTW, to get the FULL report, you have to be a subscriber to the OBC newsletter.

<sniff><sniff> What's that smell?

--
Tim Gooch

Editor-in-Chief,
 Delphi Developer's Journal
 [ http://www.cobb.com/ddj ]

Other Threads