Java security not so hot?

[23 February 1996] Two security flaws in recently released Java support were circulated on 18 February by Drew Dean, Ed Felten, and Dan Wallach of Princeton University. A flaw in Netscape Navigator 2.0 and the 1.0 release of the Java Development Kit from Sun permits a malicious applet to open a connection to arbitrary Internet hosts; potentially permitting exploitation of bugs in any TCP/IP-based network service (e.g. sendmail). If the applet is executed on a machine behind a firewall, machines on the same side of firewall may be attacked in this way. The second flaw occurs in the bytecode dissassembler, javap. A long method name can overflow a stack allocated buffer, potentially permitting arbitrary native code to be executed. Both flaws can be avoided by disabling Java until patches are made available. Dean and Felten will present a paper on security flaws in versions of Java and the HotJava browser at this year's Oakland Conference. Details of a third serious flaw, reported by the same group on March 23, are being withheld pending development and distribution of appropriate patches. More information on these flaws is available at