Beware of persistent security holes in some Java releases
- By John McCormick
- Jun 24, 1996
Are you responsible for a network using Navigator 2.0 browser from Netscape
Communications Corp., Mountain View, Calif.? If so, consider disabling its implementation
of Java from Sun Microsystems Inc., Mountain View, Calif.
I've been hearing a lot of talk about security holes that let users innocently download
hostile Java applets from World Wide Web sites. Your firewall could even be bypassed with
a Java connection to on-line hackers who could download your confidential files over the
A security fix for Netscape 2.0 is located at http://home.netscape.com/newsref/std/java--security.html.
and transmit it. Although you can disable Java in Navigator 2.0, it is neccesary to have
Other safety measures: Don't use HotJava to browse through unknown Web sites, and stop
using the Java Developers Kit 1.0 until you get a fix.
Are these theoretical problems that don't affect the real world? Well, the Computer
Emergency Response Team at Carnegie-Mellon University in Pittsburgh doesn't think so. It
recommends disabling all Java applet downloading until you have the latest patches.
An applet should only be able to connect with the host from which it was loaded.
Navigator 2.0's Java implementation, however, does not properly enforce this from the Java
Applet Security Manager. Hackers can use domain name spoofing to connect Java applets to
arbitrary hosts, including those behind firewalls.
Even though some fixes have been distributed, there are many earlier Netscape versions
in use, and even one vulnerable Java installation behind a firewall can present
significant problems to an agency.
Nobody seems to know just how secure Java really is . A most interesting aspect of this
issue is that, although the information apparently was known to CERT , Sun and Netscape
back last February, it was not made public until later.
The current Internet fever has overloaded CERT with work. It would be nice to just rely
on CERT, but that isn't possible. All network security managers are going to have to spend
more time thinking about viruses and other new and exciting forms of vandalism made
possible by perfectly innocent software like Java.
A word about macro virus infections--there is a possibility of a separate mode of
attack, which is in no way related to the Java problems. The infamous Microsoft Word macro
virus can infect your system when you open something that looks like a Word document but
really is a template.
The infected template, disguised as a regular .doc document, immediately executes a
macro that can do many annoying things to your system. If you open these same files with a
viewer that doesn't support a macro language, however, you will not get in trouble.
If you have a problem after importing a document into a different word processor using
a file-conversion utility, the problem is not related to a macro virus.
I bring this up as a reminder that vandals are working on other macro viruses for any
software that supports a macro language, including Word Pro from Lotus Development Corp.
and Microsoft Excel. For technical reasons--including the fact that a template's file
extension differs from that of a document in Word Pro, nothing has proved dangerous--yet.