New Java security flaw in Netscape 2.01

• To: www-security@ns2.rutgers.edu
• Subject: New Java security flaw in Netscape 2.01
• From: Prentiss Riddle <riddle@is.rice.edu>
• Date: Mon, 25 Mar 1996 16:36:27 -0600 (CST)

Forwarded FYI from RISKS Digest 17.93:

| Java/Netscape security flaw
| 
| Ed Felten <felten@CS.Princeton.EDU> 
| Fri, 22 Mar 1996 17:27:56 -0500 
| 
| We have discovered another serious security flaw in the Java
| programming language, which allows a malicious Java applet running
| under Netscape Navigator (version 2.0 or 2.01) to execute arbitrary
| machine code. We have implemented an applet that exploits the flaw to
| remove a file.  Until a fix is issued, Netscape users can protect
| themselves by disabling Java in the Security Preferences dialog.
| 
| At present we are not releasing technical details about the flaw. We
| will announce the full details later; some of the details will also
| appear in our upcoming paper in the proceedings of the IEEE Symposium
| on Security and Privacy, to be published in May. Our paper also
| contains an overall analysis of Java's security. For an advance copy of
| the paper, send mail to felten@cs.princeton.edu. The paper will be
| available in about a week.
| 
| [Note that the "security enhancements" announced by Netscape in version
| 2.01 of Netscape Navigator do not fix this flaw. They fix two separate
| flaws found last month, one found by us (RISKS-17.77) and independently
| by Steve Gibbons, and the other found by David Hopwood (RISKS-17.83).]
| 
| For more information, see http://www.cs.princeton.edu/~ddean/java, or
| contact Ed Felten at (609) 258-5906 or felten@cs.princeton.edu.
| 
| Drew Dean, Ed Felten, Dan Wallach, Dept of Computer Science, Princeton
| Univ.

-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle

• Previous: TISC-96:NASA Computer Security Conference
• Next: BAT./CMD bug in IIS (part II.)
• Index(es):
  • Index
  • Thread