Security Scene Errata


[Response below.]

 PC Magazine -- January 20, 1998

 Filter Out Misbehavin' Java

 Robert P. Lipschutz

 Internet Security

 Barricading your network against naughty Java applet
 is a growing necessity. Though Java applets are
 lauded for efficient code and multiplatform
 capabilities, some have become network outlaws,
 making your hard disk data vulnerable to hackers. To
 deflect these miscreants, many firewalls let you
 block all Java, but many don't. Fortress
 Technologies' He@tSeeker Pro and Finjan's SurfinGate
 2.0, which you can use as firewall add-ons, provide
 more ammunition.

 Though both keep nasty Java applets out of your
 network, their approaches are quite different.
 He@tSeeker Pro is a client/server solution that
 blocks all Java applets and ActiveX. But users can
 disable this feature by simply uninstalling the
 client portion.

 SurfinGate blocks only Java applets, but the level o
 control far surpasses He@tSeeker Pro's. It lets you
 choose which applets to allow and which to block. An
 it functions as a proxy server, so users can't get
 around it if you've properly configured your
 firewall.




From: qu'evin 
Date: Wed, 18 Mar 1998 20:21:14 -0500
Subject: hostile java applets

i was shocked to read that you posted such an article.  java is but one
lanugage interpretted by popular browsers that could be used for an attack.
 however, it is probably one of the safest languages for browsers.  it does
not allow for any hd i/o, network i/o (other than to the host it originated
from), etc etc... the only attack would be a DoS (by doing some crazy math
computation, opening new windows, etc).  this type of attack could be
accomplished by any language though, even javascript or vbscript for IE,
and of course activeX, and any other language which allows for browser
control.  in addition, plain html could be used; a prime example is to link
the frame src to itself, thus creating infinite frames ... and in fact,
there exists many more security holes in activeX that do allow for HD
access (i believe you are subscribed to bugtraq so you've no doubt heard of
a few)...

the reason i am writing to you is in hope to educate you about java, and
that of all the languages, it is probably the safest to use. by your
distributing such information to the list (ISN), many users will have the
mis-interpretation that java is an insecure, buggy, risky language to allow
to be run.  as you can probably guess, i am a fan of java, but my respect
for it is well founded.

all the best,
qu'evin