1996-03-25 - RISKS: Princeton discovers another Netscape security flaw

Header Data

From: stevenw@best.com (Steven Weller)
To: cypherpunks@toad.com
Message Hash: fc5cd431514ee3445ab0657e05207bb189c59d98db8b26063d4d9d3fb17d0ee5
Message ID: <v01540b01ad7bc72800a7@[206.86.1.35]>
Reply To: N/A
UTC Datetime: 1996-03-25 04:06:40 UTC
Raw Date: Mon, 25 Mar 1996 12:06:40 +0800

Raw message

From: stevenw@best.com (Steven Weller)
Date: Mon, 25 Mar 1996 12:06:40 +0800
To: cypherpunks@toad.com
Subject: RISKS: Princeton discovers another Netscape security flaw
Message-ID: <v01540b01ad7bc72800a7@[206.86.1.35]>
MIME-Version: 1.0
Content-Type: text/plain



Posted on RISKS:

----------------------------------------------------------------------

Date: Fri, 22 Mar 1996 17:27:56 -0500
From: Ed Felten <felten@CS.Princeton.EDU>
Subject: Java/Netscape security flaw

We have discovered another serious security flaw in the Java programming
language, which allows a malicious Java applet running under Netscape
Navigator (version 2.0 or 2.01) to execute arbitrary machine code.  We have
implemented an applet that exploits the flaw to remove a file.  Until a fix
is issued, Netscape users can protect themselves by disabling Java in the
Security Preferences dialog.

At present we are not releasing technical details about the flaw.  We will
announce the full details later; some of the details will also appear in our
upcoming paper in the proceedings of the IEEE Symposium on Security and
Privacy, to be published in May.  Our paper also contains an overall
analysis of Java's security.  For an advance copy of the paper, send mail to
felten@cs.princeton.edu.  The paper will be available in about a week.

[Note that the "security enhancements" announced by Netscape in version 2.01
of Netscape Navigator do not fix this flaw.  They fix two separate flaws found
last month, one found by us (RISKS-17.77) and independently by Steve Gibbons,
and the other found by David Hopwood (RISKS-17.83).]

For more information, see http://www.cs.princeton.edu/~ddean/java, or contact
Ed Felten at (609) 258-5906 or felten@cs.princeton.edu.

Drew Dean, Ed Felten, Dan Wallach, Dept of Computer Science, Princeton Univ.

   [See the CIAC item at the end of this issue for some background
   on the earlier problems.  PGN]

------------------------------

-------------------------------------------------------------------------
Steven Weller                      |  Weller's three steps to Greatness:
                                   |     1. See what others cannot
                                   |     2. Think what others cannot
stevenw@best.com                   |     3. Express what others cannot







Thread