W3C home > Mailing lists > Public > www-talk@w3.org > May to June 1996

Article on JAVA security problems // Class-action lawsuit possible?

From: Niels P. Mayer <mayer@netcom.com>
Date: Mon, 06 May 96 21:50:03 -0700
Message-Id: <199605070450.VAA20949@netcom21.netcom.com>
To: www-talk@w3.org

Any lawyers out there know what it would take to get a class-action
lawsuit against Netscape and Sun Microsystems for recklessly
endangering the data and security of clueless Netscape Navigator users?
(yes, there's a tiny bit of legalese presented in v2.01/v3.0 which
covers Netscape/Sun's collective posteriors w/r/t this problem,
however, since it's scrolled off screen and generally hidden under a
steaming mound of verbiage, people that just accept the licence dialog
will never see it....). Seems like Netscape/Sun should explicitly pop
up a dialog box warning of Java problems as soon as Java functionality
is enabled in Netscape, and have Java disabled by default.

I wouldn't have anything against Java if it weren't for the marketing
departments at Sun and Netscape that have been feeding outright lies to
the media and the public. It's just "yet another language" with it's
own set of capabilities and problems. It is no panacea, and achieving
security isn't as easy as they claim it is.

These problems are accentuated by the hubris of Netscape spokesmen such
as Jim Barksdale appearing on CNN to claim that Netscape/Java security
problems are similar to airline crashes, stating that people accept
airline crashes as part of "progess"... (but since there's no Federal
Aviation Administration equivalent overseeing the safety of browsers
this is just yet another bit of shallow marketing hype).

------- Forwarded Message
>
>From: staff @ hpp.com ("Home Page Press Inc.") @ internet @ WORLDCOM
>Date: 05/05/96 05:42:54 PM CDT
>Subject: Warning: Deadly Black Widow on the Web
>
>Deadly Black Widow on the Web:
>Her Name is JAVA
>
>"Don't trust Java online" That's the message from computer
>and Internet security watchdogs, in response to reports that
>"hostile" Java applets are stalking the WWW. These malicious
>applets can destroy data, interfere with mission critical intranets,
>and gain access to sensitive data.
>
>"The situation is scary," said Stephen Cobb, Director of Special
>Projects for the National Computer Security Association (NCSA).
>"Software companies are releasing products on the Internet without
>even considering the hacker perspective. Enterprise IT managers
>have to understand there is a real danger allowing users to freely
>access the WWW. They have to set up policy now to prevent users
>from downloading malicious applets and viruses. Users should only
>be allowed to access trusted domains and Web sites."
>
>According to the NCSA, "a malicious 'applet' can be written to
>perform any action that the legitimate user can do. The security
>enhancements announced by Sun Microsystems and Netscape do not
>fix this flaw CERT (Computer Emergency Response Teams)
>recommends disabling Java in Netscape Navigator [only Netscape
>browsers are at issue] and not use Sun's 'appletviewer' to browse
>untrusted web sites until patches are made available from the
>vendors." The warnings apply to Netscape Navigator 2.0 and 2.01,
>and Sun's HotJava browser.
>
>And according to a white paper being released by researchers at
>Princeton University, "The Java system in its current form cannot
>easily be made secure." The scientists, Drew Dean, Edward Felten
>and Dan Wallach, will present their white paper at the 1996 IEEE
>Symposium on Security, which starts in California Monday, May 6.
>
>According to the scientists, and other sources interviewed by Online
>Business Consultant (OBC), innocent surfers on the Web who download
>Java applets into Netscape's Navigator and Sun's HotJava browser, risk
>having "hostile" applets interfere with their computers (consuming RAM
>and CPU cycles) or, worse, having an applet connect to a third party on
>the Internet to upload sensitive information from the user's computer.
>
>The scientists say that even firewalls, software designed to fence-off
>LANs and Intranets from cyberthugs, are ineffective against the malicious
>Java code . . . "because the attack is launched from behind the firewall."
>
>This information was made public some weeks back. However, the
>browsing public, and particularly online business users, are ignorant
>of the Java risks. In a survey conducted by OBC the vast majority of
>Netscape users had no idea that Java applets presented a grave risk,
>and many felt the proponents of Java as an Internet technology,
>particularly Sun Microsystems, Inc. and Netscape Communications
>Corporation, were not paying enough attention to the issue.  "I have to
>report this information to my senior executives," said one IT manager.
>"They are especially anxious to have clarity on the (Java) security issue."
>
>"They are hoping the security issues will just go away," said another
>responder, one of the few who has researched the security issue. "But it
>will not. The hackers will continue to find the loopholes and exploit
>the opportunities."
>
>OBC also interviewed hackers who have designed Java applets to turn
>cancerous at a future date. Said one hacker: "Even legitimate Java applets
>can be targeted on the Web and attacked. I have written a Java virus that
>changes one line of code in a Java applet to render it useless." [A sample
>of this type of hostile code is included in the complete Java report in the
>May issue of OBC]
>
>A computer security expert, Mark Ladue, has set up a "Hostile Applets"
>site on the Internet. The site is a free service to alert business to the
>potentialdangers. "I've read that article by Dean, Felten, and Wallach,
>and I agreed with what they had to say as far as they went, but I would
>paint the picture a little more darkly. It's to the business community that
>they (Java applets) pose the most serious threat."
>
>Back in March the Princeton group released the following Java report to
>Sun Microsystems, Netscape and Cern: "We have discovered a serious
>security problem with Netscape Navigator's 2.0 Java implementation.
>[The problem is also present in the 1.0 release of the Java Development Kit
>from Sun] An applet is normally allowed to connect only to the host from
>which it was loaded. However, this restriction is not properly enforced. A
>malicious applet can open a connection to an arbitrary host on the Internet..
>At this point, bugs in any TCP/IP-based network service can be exploited.
>We have implemented (as a proof of concept) an exploitation of an old
>sendmail bug [to reproduce the problem].
>
>Sun issued a patch that plugs the possibility of "spoofing."  Netscape
>modified its software (in version 2.00).  However, Netscape's Navigator is
>readily available in stores and countless millions of World Wide Web users
>have no idea they are at serious risk. To date OBC has been unable to obtain
>official response from Sun or Netscape. The following security claim is
>extracted from their original white paper on Java:
>
>"Java is intended to be used in networked/distributed environments. Toward
>that end, a lot of emphasis has been placed on security. Java enables the
>construction of virus-free, tamper-free systems. The authentication techniques
>are based on public-key encryption."
>
>However, the Princeton group states otherwise, "If the user viewing the
>(Java) applet is behind a firewall, this attack can be used against any other
>machine behind the same firewall. The firewall will fail to defend against
>(Java) attacks on internal networks, because the attack originates behind the
>firewall.
>
>"The immediate fix for this problem is to disable Java from Netscape's
>'Security Preferences' dialog. An HTTP proxy server could also disable
>Java applets by refusing to fetch Java '.class' files. We've sent a more
>detailed description of this bug to CERT, Sun, and Netscape."
>
>In light of this information, OBC feels it is prudent to avoid using the
>Netscape Navigator browsers and logging on to insecure Java sites on the
>Internet until complete safety can be confirmed.
>
>The complete Java report in the May issue of OBC also exposes the
>mounting dangers of email being attacked by "Trojan horse" Java applets.
>
>
># # #
>
>The report above may be reprinted with credit provided as follows:
>
>Home Page Press, Inc.,  http://www.hpp.com  and Online Business Consultant
>Please refer to the HPP Web site for additional information about Java and OBC.

------- End of Forwarded Message
Received on Tuesday, 7 May 1996 00:50:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:19 GMT