Java security not so hot?
[23 February 1996]
Two security flaws in recently released Java support were circulated
on 18 February by Drew Dean, Ed Felten, and Dan Wallach of Princeton University.
A flaw in Netscape Navigator 2.0 and the 1.0 release of the Java Development
Kit from Sun permits a malicious applet to open a connection to arbitrary
Internet hosts; potentially permitting exploitation of bugs in any
TCP/IP-based network service (e.g. sendmail). If the applet is executed
on a machine behind a firewall, machines on the same side of firewall
may be attacked in this way. The second flaw occurs in the bytecode
dissassembler, javap. A long method name can overflow a stack allocated
buffer, potentially permitting arbitrary native code to be executed.
Both flaws can be avoided by disabling Java until patches are made available.
Dean and Felten will present a paper on security flaws in versions of Java
and the HotJava browser at this year's
Oakland Conference. Details of a third serious flaw, reported
by the same group on March 23, are being withheld pending development
and distribution of appropriate patches.
More information on these flaws is available at