From: reagle@rpcp.mit.edu (Joseph M. Reagle Jr.)
Date: Thu, 8 Aug 1996 02:10:42 +0800
To: cypherpunks@toad.com
Subject: ****Developer Recants Hostile Java Applet Story 08/06/96
Message-ID: <9608071339.AA16478@rpcp.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain



  	  				 
SAN FRANCISCO, CALIFORNIA, U.S.A., 1996 AUG 6 (NB) --  
By Patrick McKenna. Finjan Software of Israel, which earlier said its 
Java security software detected what the company called a publicly 
available hostile Java applet at a game site on the World Wide Web, 
has issued a statement changing its earlier claims. 

In the first story on the Java applet labeled "hostile" by Finjan,  
Newsbytes reported early Tuesday that the Java applet in question is 
part of a game available on the Web and connected to America Online. 
Shmulik Suhami, spokesperson for Finjan, told Newsbytes at the time, 
"We were contacted by one of our users who detected a hostile Java 
applet and we have confirmed the user's experience." 

Newsbytes reported Sun Microsystems' JavaSoft division reply as saying,  
"This issue is totally and completely bogus. Security features built 
into Java do not allow an applet to read or write to another computer 
without issuing a warning message and this applet in question is not a 
hostile Java applet. An individual at AT&T, acting independently of the 
company, developed the applet. We suspect a file for the applet was 
placed on a second system and that is probably why Finjan's software 
incorrectly read it as a hostile application. Actually, this is a flaw 
in Finjan's software. There is no bug or hostile application at all." 

In its early story, Newsbytes also quoted a JavaSoft spokesperson  
as saying, "What is going on is that the person's applet called an 
audio file from a second machine and Java's security features are so 
strong and restrictive that an exception is raised whenever a second 
machine is called. Finjan's software appears to have read the call to 
the second machine as a hostile bug." 

In recanting its initial claims, Finjan released the following  
statement: "We want to issue a clarification on the media alert we sent 
out yesterday describing a potentially suspicious Java applet. We were 
perhaps mistaken to describe the applet discovered as a 'hostile 
applet,' since we did not know if it did anything damaging to a 
person's system. The activity of applet described was harmless. We 
misunderstood the extent of the security exception based on information 
we received. Though in principal the way the app was created could 
constitute a risk, in practice this was a relatively harmless breech 
of security, which the Java Security Manager dealt with appropriately." 

(19960805/Press Contact: Mary Jo Wagner, Successful Marketing  
Strategists,  tel 510-644-3837; E-mail Address: maryjo@successful.com; 
or Paul Karr, KVO, 415-961-1550)