From: fc@all.net (Dr. Frederick B. Cohen)
To: cypherpunks@toad.com
Message Hash: e4ba8edabda19725a4e085a7565ed1714fb6a9cd470b89bd1b9dfb83b75a5b92
Message ID: <9510312359.AA21087@all.net>
Reply To: N/A
UTC Datetime: 1995-11-01 00:31:24 UTC
Raw Date: Wed, 1 Nov 1995 08:31:24 +0800
From: fc@all.net (Dr. Frederick B. Cohen)
Date: Wed, 1 Nov 1995 08:31:24 +0800
To: cypherpunks@toad.com
Subject: Please send cash
Message-ID: <9510312359.AA21087@all.net>
MIME-Version: 1.0
Content-Type: text
I just picked this up from the Risks forum:
> Date: Mon, 30 Oct 1995 16:14:59 -0500
> From: Drew Dean <ddean@CS.Princeton.EDU>
> Subject: HotJava 1.0 alpha 3 security issues
>
> We have found several security problems in the 1.0 alpha 3 release of
> HotJava from Sun Microsystems. The two most important problems are that
> HotJava does not enforce the stated limits on where an applet can connect to
> (an applet can talk to any place with which you have IP-level connectivity),
> and HotJava is vulnerable to a man-in-the-middle attack, where someone can
> watch your web-surfing, both seeing your requests, and the content that you
> receive.
Two of the Java attacks I outlined in this forum and got abuse for.
> While HotJava prevents applets from actively opening connections that
> violate the user-selected security policy, it allows an applet to accept
> connections from anywhere. At this point, an applet only has to use any one
> of a number of channels to communicate where it is, and have the remote end
> do the active open.
>
> HotJava also allows an applet to set the proxy servers that the browser
> uses. This opens up a huge hole for anyone concerned about the privacy of
> their web surfing.
Attacks 31-49 work here.
> Please note that these bugs are specific to the 1.0 alpha 3 release, and are
> _not_ bugs in the Java language itself, nor do they apply to Netscape 2.0
> beta 1J, which doesn't permit network connections. We have notified Sun of
> these problems, and are presently writing a paper on these and other issues.
> We will make more information available on our Web page after we hear back
> from Sun.
Drat - Sun doesn't offer awards.
>
> http://www.cs.princeton.edu/~ddean/java/
>
> Drew Dean Dan Wallach
> ddean@cs.princeton.edu dwallach@cs.princeton.edu
Inquiring minds want to know.
--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Return to November 1995
Return to “hallam@w3.org”