1995-11-06 - PRINCETON STUDENTS FIND HOLE IN INTERNET SECURITY SOFTWARE

Header Data

From: sameer <sameer@c2.org>
To: cypherpunks@toad.com
Message Hash: 46a18af21a814c9d7d85d8dbb926cb9b64ddf37c219780b476f8c3e0705917c7
Message ID: <199511061552.HAA06343@infinity.c2.org>
Reply To: N/A
UTC Datetime: 1995-11-06 17:00:50 UTC
Raw Date: Tue, 7 Nov 1995 01:00:50 +0800

Raw message

From: sameer <sameer@c2.org>
Date: Tue, 7 Nov 1995 01:00:50 +0800
To: cypherpunks@toad.com
Subject: PRINCETON STUDENTS FIND HOLE IN INTERNET SECURITY SOFTWARE
Message-ID: <199511061552.HAA06343@infinity.c2.org>
MIME-Version: 1.0
Content-Type: text/plain


For Immediate Release
Date: Nov 6th, 1995
Contact: Sameer Parekh 510-601-9777 sameer@c2.org

PRINCETON STUDENTS FIND HOLE IN INTERNET SECURITY SOFTWARE

Two Princeton University grad students, Dan Wallach and Drew Dean,
recently discovered holes in Sun Microsystem's HotJava web browser. In
response to this finding, Community ConneXion, well known for offering
rewards for exposing holes in internet security products, has decided
to award them with a t-shirt and expand the Community ConneXion Hack
line of promotions to include Java and Java-related products.

Sun's Java product is alleged to allow people browsing the
World-Wide-Web to execute programs on their own computers without
worrying about whether or not the programs were viruses or not. The
holes Wallach and Dean found show that there are a few things in the
HotJava alpha implementation of the Java language which make viruses
and other malicious programs possible within the alpha HotJava
web browser.

"We were very impressed with the HotJava concept, so we thought it
would be good to poke around their implementation," said Wallach.
"While we did find some interesting holes, we believe these can be
addressed and Java could make a good standard for remote code on the
Web, if an effective security policy is defined."

Wallach and Dean released their findings initially in the RISKS
Digest, and plan to publish a paper detailing their results. The holes
they found make it possible for a malicious applet to set things up so
as to be able to monitor or modify all of a given web-surfer's
activity, after they ran the malicious applet exploiting the holes. By
doing so the applet may make it possible to violate user's privacy by
revealing to an third party their web traffic.

The holes they found exist only in the alpha release of HotJava. The
beta release, which is the version found in the widely-used Netscape
Navigator 2.0b1J is not vulnerable to these attacks.

"I don't want to be in the t-shirt business," said Sameer Parekh,
President of Community ConneXion, "but we felt that these students'
work deserved a t-shirt. Java has great potential for making the
Internet much more powerful than it already is. It is very important
that we examine Java and make sure that we can trust it." Community
ConneXion, in addition to this Hack Java t-shirt promotion, is
offering t-shirts to people who find holes in Netscape, Microsoft, and
DigiCash.

Information about the Hack Java promotion is available from
http://www.c2.org/hackjava/.

Community ConneXion is the premier internet privacy ISP. They offer
anonymous accounts, remailers, and psuedonym servers, in addition to
the standard ISP fare of webspace and dialup IP access. Information is
available from http://www.c2.org/ or from sending email to
info@c2.org.

Java and HotJava are trademarks of Sun Microsystems, Inc. Netscape and
Netscape Navigator are trademarks of Netscape Communications
Corporation. The Hack Java promotion is not affiliated with nor
sponsored by Sun Microsystems.





Thread