1996-03-27 - WSJ on Big Java Flaw

Header Data

From: John Young <jya@pipeline.com>
To: cypherpunks@toad.com
Message Hash: 214bf0c0207655a3289255b802c6e16dfa91fa9d1fdb2fbe0fb48308259a8415
Message ID: <199603261558.KAA25648@pipe1.nyc.pipeline.com>
Reply To: N/A
UTC Datetime: 1996-03-27 16:42:14 UTC
Raw Date: Thu, 28 Mar 1996 00:42:14 +0800

Raw message

From: John Young <jya@pipeline.com>
Date: Thu, 28 Mar 1996 00:42:14 +0800
To: cypherpunks@toad.com
Subject: WSJ on Big Java Flaw
Message-ID: <199603261558.KAA25648@pipe1.nyc.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain

   Wall Street Journal, March 26, 1996, p. B4.

   Researchers Find Big Security Flaw In Java Language

   By Don Clark

   A team of Princeton University researchers said they
   discovered the most serious security flaw yet in the widely
   used Java programming language from Sun Microsystems Inc.

   The flaw could make it possible for unscrupulous hackers to
   destroy files or cause other types of damage on any
   personal computer that uses Netscape Communications Corp.'s
   Navigator program, said Edward Felten, a Princeton
   assistant professor of computer science who helped discover
   the flaw.

   Netscape Navigator, which uses Java, is the most popular
   software for browsing the Internet's World Wide Web. Java
   enables the creation of tiny programs, called applets, that
   are transferred from a Web site on the Internet to a PC
   running Netscape Navigator.

   Mr. Felten said that unscrupulous people who discovered the
   flaw could boobytrap a Web page on the Internet,
   essentially seizing control of the browser software of any
   PC that tapped into that page. At that point, the hackers
   could read or delete an entire hard disk of data files.
   "The consequences of this flaw are as bad as they can be,"
   he said.

   Sun, a computer maker based in Mountain View, Calif.,
   acknowledged the problem. "This one is a serious bug," said
   Marianne Mueller, a senior Sun engineer specializing in
   security issues.

   The company, alerted by Princeton on Friday, is already
   testing a software fix it has developed for the program and
   hopes to distribute it to Netscape and other users in about
   two days. Those companies are then expected to distribute
   updated versions of their Web browsers or other products to

   "We plan to fix it and get it out to our customers as fast
   as we can," said Jeff Treuhaft, a Netscape product manager.

   Java was originally touted by Sun as a secure language. But
   at least two other flaws have already been discovered in
   the technology, including a less-serious problem uncovered
   by the Princeton team last month. Sun's Ms. Mueller said
   the problems have been correctable details in the way the
   Java code is written, not problems with its basic design.