Reported netscape/java virus (fwd)

Roy Tennant rtennant at library.berkeley.edu
Wed May 22 13:16:09 EDT 1996


Forwarded with permission.
Roy

---------- Forwarded message ----------
Date: Wed, 22 May 1996 09:20:44 -0700
From: Kalina Wilson <kalinaw at violet.berkeley.edu>
To: micronet at garnet.Berkeley.EDU, ucb-www at server.Berkeley.EDU
Subject: Re: Reported netscape/java virus

In case anyone is interested in *still more* information about
netscape/java security... this letter from netscape is informative, if long.
---

FYI, version 2.01 rectified some potential problems with Java.  For
information on the difference between Netscape Navigator v2.0 and v2.01,
please see <http://home.netscape.com/newsref/std/java_security.html.>

To download the patch for Netscape Navigator v2.01, please see
<http://home.netscape.com/comprod/mirror/java-patch-download.html>

Please note that providing you have a legal copy of Netscape Navigator
2.0, there no additional cost for the patch to Netscape Navigator v2.01.

---
To begin with, there is no "Java virus" or malicious Java applet called
"Black Widow".  This phrase appears to be taken from a report titled
"Deadly Black Widow on the Web: Her Name is JAVA" recently published by
an organization called Online Business Consultant (OBC).

The OBC report is in turn based on a report released in late March by
researchers based at Princeton University; the report identified a
potential security issue in the Java implementation (_not_ the language)
developed by Sun and used by Netscape in Netscape Navigator.  The
problem was communicated to Sun and Netscape, and was also reported in
CERT Advisory CA-96.07, "Weaknesses in Java Bytecode Verifier", dated 29
March; the problem was corrected in the 2.02 version of Netscape
Navigator released last week.

At the time the Princeton people said that they had no evidence that
this particular problem was being actively exploited by anyone for
malicious purposes.  Based on my researches, this is still the case
today.

The OBC report also speaks in general terms of hackers producing
malicious or hostile Java applets.  It is in fact possible to produce
Java applets that carry out "denial of service" attacks to annoy the
user, and we're aware of some of these being written as experiments.
"Denial of service" attacks are of course also possible in the absence
of Java as well; "mailbombing" someone by emailing them large documents
is a common example.

My conclusions:

First, there doesn't currently appear to be any significant activity in
terms of people attacking systems using Java (as there is, for example,
for people attacking systems, including DoD systems, using various known
Unix and Windows security flaws).

Second, Netscape Navigator 2.02 addresses the known Java security
problems reported in late March by the Princeton researchers and the
relevant CERT Advisory CA-96.07.  There have been no other Java- or
Netscape-related CERT advisories since then.  (Netscape Navigator 2.01
addressed a previous problem reported in CA-96.05.)

Finally, both the Java language and implementation are receiving very
high levels of scrutiny by Sun, Netscape, and security researchers in
general.  It is certainly possible that additional problems may be
found; however based on past experience I believe that any such problems
will be quickly addressed by the relevant parties.

I also believe that in general the potential security problems
associated with Java are no worse, and are arguably far less, than those
posed by current operating systems, languages, and applications already
in wide deployment.  To take but one example from many, my opinion is
that so-called "macro viruses" associated with word processor or
spreadsheet documents sent as email attachments are more likely to
affect the average user than any sort of Java security problem.

In general there are going to be security issues associated with any
technology that involves access to distributed data and applications.
Java as a technology is by design much more secure than many alternative
systems, even in its current state.  Features currently being added to
Java by Sun, Netscape, and others will improve this security even
further; in particular, the future ability for developers to digitally
sign their applets will allow users (or IS departments on behalf of
users) to assign levels of trust to those applets based on their
assessment of the applet developer.

So while I think some level of caution is called for in assessing the
wide use of Java going forward, at the same time I believe that the
potential problems are not of such a serious nature that anyone needs to
adopt a blanket "no Java" policy.  (I should add that the same is true
of JavaScript; as a side note, the Princeton problem has nothing to do
with JavaScript.)

Frank

P.S. In writing this message I have consulted a number of relevant
sources: the Princeton researchers' Web pages, the CERT Web site, the
comp.lang.java newsgroup, the Cypherpunks mailing list, and relevant
Netscape internal mailing lists and newsgroups.  If you need any further
details and background information on what I've written above, please
drop me a line.  One good place to start is the release notes for
Netscape Navigator 2.02:

  http://home.netscape.com/eng/mozilla/2.02/relnotes/windows-2.02.html

--
Frank Hecker






More information about the Web4lib mailing list