From: m5@dev.tivoli.com (Mike McNally)
Date: Wed, 18 Oct 95 15:46:57 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: 50 attacks on Netscape - please send the check
In-Reply-To: <9510182213.AA05709@all.net>
Message-ID: <9510182246.AA02614@alpha>
MIME-Version: 1.0
Content-Type: text/plain



Frederick B. Cohen writes:
 > 50 Attacks: a.k.a. Why Not to Run Hot Java in your netscape (or other) browser:

Terminology:  "Java" is a programming language, "Hot Java" is the name
of a web browser that supports running Java applets, "Netscape" is the
name of another browser (and the company that makes it) that also in
some versions supports Java applets.

 > Concept 1 - Hot Java code that, once started, takes and retains control
 > of the viewer. ...

How exactly is an applet going to "take control" if the local class
libraries don't allow (for example) the browser's "native" menus to be
overridden?

Isn't it somewhat important to distinguish between attacks along the
lines of what Perry Metzger has suggested (exploiting interpreter bugs
or devious paths through "safe" features) and attacks based on
relatively wild hypothetical speculation?  I mean, just about all of
the "attacks" in this note could just as well be applied to any
software at all that you might choose to run on your machine.  Indeed,
I'd say that Java applets are probably a lot *safer* than an arbitrary
application in a lot of these cases, because they've got less to work
with (the AWT or whatever class libraries the browser makes available,
which could be quite limited).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) |
| stand there and flap your arms like a fish. | Tivoli Systems, Austin TX    |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~