JAVA BLACK WIDOWS - SUN DECLARES WAR]

Bob Craigmile librlc at emory.edu
Wed May 15 09:16:05 EDT 1996


Thought I'd forward this along to the list.  Looks like secure Java is still
a ways off.

>JAVA BLACK WIDOWS - SUN DECLARES WAR
>
>Sun Microsystems' has declared war on Black Widow Java
>applets on the Web. This is the message from Sun in response
>to an extensive Online Business Consultant (OBC/May 96)
>investigation into Java security.
>
>OBC's investigation and report was prompted after renowned
>academics, scientists and hackers announced Java applets
>downloaded from the WWW presented grave security risks for
>users. Java Black Widow applets are hostile, malicious traps set
>by cyberthugs out to snare surfing prey, using Java as their technology.
>OBC received a deluge of letters asking for facts after OBC
>announced a group of scientists from Princeton University, Drew
>Dean, Edward Felten and Dan Wallach, published a paper declaring
>"The Java system in its current form cannot easily be made secure."
>The paper can be retrieved at
>http://www.cs.princeton.edu/sip/pub/secure96.html.
>
>Further probing by OBC found that innocent surfers on the Web who
>download Java applets into Netscape's Navigator and Sun's
>HotJava browser, risk having "hostile" applets interfere with their
>computers (consuming RAM and CPU cycles). It was also discovered
>applets could connect to a third party on the Internet and, without the
>PC owner's knowledge, upload sensitive information from the user's
>computer. Even the most sophisticated firewalls can be penetrated . . .
>"because the attack is launched from behind the firewall," said the
>Princeton scientists.
>
>One reader said, "I had no idea that it was possible to stumble on
>Web sites that could launch an attack on a browser."  Another said,
>"If this is allowed to get out of hand it will drive people away from the
>Web. Sun must allay fears."
>
>The response to the Home Page Press hostile applet survey led to the
>analogy of Black Widow; that the Web was a dangerous place where
>"black widows" lurked to snare innocent surfers. As a result the
>Princeton group and OBC recommended users should "switch off"
>Java support in their Netscape Navigator browsers. OBC felt that Sun
>and Netscape had still to come clean on the security issues. But
>according to Netscape's Product Manager, Platform, Steve Thomas,
>"Netscape wishes to make it clear that all known security problems with
>the Navigator Java and JavaScript environment are fixed in Navigator
>version 2.02."
>
>However, to date, Netscape has not answered OBC's direct questions
>regarding a patch for its earlier versions of Navigator that supported
>Java . . . the equivalent of a product recall in the 3D world. Netscape
>admits that flaws in its browsers from version 2.00 upwards were
>related to the Java security problems, but these browsers are still in us=
>e
>and can be bought from stores such as CompUSA and Cosco. A floor
>manager at CompUSA, who asked not to be named, said "its news to
>him that we are selling defective software. The Navigator walks off our
>floor at $34 a pop."
>
>OBC advised Netscape the defective software was still selling at
>software outlets around the world and asked Netscape what action was
>going to be taken in this regard. Netscape has come under fire recently
>for its policy of not releasing patches to software defects; but rather
>forcing users to download new versions. Users report this task to be a
>huge waste of time and resources because each download consists of
>several Mbytes. As such defective Navigators don't get patched.
>
>OBC also interviewed Sun's JavaSoft security guru, Ms. Marianne Mueller,
>who said "we are taking security very seriously and working on it very
>hard." Mueller said the tenet that Java had to be re-written from scratch=
> or
>scrapped "is an oversimplification of the challenge of running executable
>content safely on the web. Security is hard and subtle, and trying to bui=
>ld
>a secure "sandbox" [paradigm] for running untrusted downloaded applets
>on the web is hard."
>
>Ms. Mueller says Sun, together with their JavaSoft (Sun's Java division)
>partners, have proposed a "sandbox model" for security in which "we
>define a set of policies that restrict what applets can and cannot do---t=
>hese
>are the boundaries of the sandbox. We implement boundary checks---when
>an applet tries to cross the boundary, we check whether or not it's allow=
>ed
>to. If it's allowed to, then the applet is allowed on its way. If not, th=
>e
>system throws a security exception.
>
>"The 'deciding whether or not to allow the boundary to be crossed' is the
>research area that I believe the Princeton people are working on," said
>Mueller. "One way to allow applets additional flexibility is if the apple=
>t
>is signed (for example, has a digital signature so that the identity of t=
>he
>applet's distributor can be verified via a Certificate Authority) then al=
>low
>the applet more flexibility.
>
> "There are two approaches: One approach is to let the signed applet
>do anything. A second approach is to do something more complex and
>more subtle, and only allow the applet particular specified capabilities.
>Expressing and granting capabilities can be done in a variety of ways.
>
>"Denial of service is traditionally considered one of the hardest securit=
>y
>problems, from a practical point of view. As [Java's creator] James
>Gosling says, it's hard to tell the difference between an MPEG
>decompressor and a hostile applet that consumes too many resources!
>But recognizing the difficulty of the problem is not the same as 'passing
>the buck.' We are working on ways to better monitor and control the
>use (or abuse) of resources by Java classes. We could try to enforce
>some resource limits, for example. These are things we are investigating.
>
>"In addition, we could put mechanisms in place so that user interface
>people (like people who do Web browsers) could add 'applet monitors'
>so that browser users could at least see what is running in their browser=
>,
>and kill off stray applets. This kind of user interface friendliness (let=
>ting
>a user kill of an applet) is only useful if the applet hasn't already gra=
>bbed
>all the resources, of course."
>
>The experts don't believe that the problem of black widows and hostile
>applets is going to go away in a hurry. In fact it may get worse. The
>hackers believe that when Microsoft releases Internet Explorer 3.00 with
>support for Java, Visual Basic scripting and the added power of its
>ActiveX technology, the security problem will become worse.=20
>
>"There is opportunity for abuse, and it will become an enormous
>problem," said Stephen Cobb, Director of Special Projects for the
>National Computer Security Association (NCSA). "For example, OLE
>technology from Microsoft [ActiveX] has even deeper access to a
>computer than Java does."
>
>JavaSoft's security guru Mueller agreed on the abuse issue: "It's going
>to be a process of education for people to understand the difference
>between a rude applet, and a serious security bug, and a theoretical
>security bug, and an inconsequential security-related bug. In the case of
>hostile applets, people will learn about nasty/rude applet pages, and
>those pages won't be visited. I understand that new users of the Web
>often feel they don't know where they're going when they point and click,
>but people do get a good feel for how it works, pretty quickly, and I
>actually think most users of the Web can deal with the knowledge that
>not every page on the web is necessarily one they'd want to visit.
>Security on the web in some sense isn't all that different from security
>in ordinary life. At some level, common sense does come into play.
>
>"Many people feel that Java is a good tool for building more secure
>applications. I like to say that Java raises the bar for security on the
>Internet. We're trying to do something that is not necessarily easy, but
>that doesn't mean it isn't worth trying to do. In fact it may be worth
>trying to do because it isn't easy.  People are interested in seeing the
>software industry evolve towards more robust software---that's the
>feedback I get from folks on the Net."
>
># # #
>
>The report above may be reprinted with credit provided as follows:
>
>Home Page Press, Inc.,  http://www.hpp.com  and Online Business Consultan=
>t=99
>Please refer to the HPP Web site for additional information about Java an=
>d OBC.
>............Home Page Press, Inc.   http://www.hpp.com   home of Go.Fetch=
>=99
>........Free TEXT version - Online Business Today email: obt.text at hpp.com
>....Free PDF version - Online Business Today email: obt.pdf at hpp.com
>OBC / Online Business Consultant, $595/year email: obc at hpp.com
>
>
>ÿÿ    [staff at hpp.com: JAVA BLACK WIDOWS - SUN DECLARES WAR]
>
>
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Bob Craigmile, Reference Librarian
Pitts Theology Library, Emory University
librlc at emory.edu | http://www.pitts.emory.edu/bob/bob.html
404.727.1221 (w)  404.378.6388  (h)



More information about the Web4lib mailing list