[52735] in Cypherpunks
Re: WSJ on Big Java Flaw
daemon@ATHENA.MIT.EDU (Mutant Rob)
Wed Mar 27 06:20:44 1996
Date: Wed, 27 Mar 1996 05:48:37 -0500
From: Mutant Rob <wlkngowl@unix.asb.com>
To: John Young <jya@pipeline.com>
Cc: cypherpunks@toad.com
John Young wrote:
> Wall Street Journal, March 26, 1996, p. B4.
> Researchers Find Big Security Flaw In Java Language
> By Don Clark
>
> A team of Princeton University researchers said they
> discovered the most serious security flaw yet in the widely
> used Java programming language from Sun Microsystems Inc.
>
> The flaw could make it possible for unscrupulous hackers to
> destroy files or cause other types of damage on any
> personal computer that uses Netscape Communications Corp.'s
> Navigator program, said Edward Felten, a Princeton
> assistant professor of computer science who helped discover
> the flaw.[..]
> Mr. Felten said that unscrupulous people who discovered the
> flaw could boobytrap a Web page on the Internet,
> essentially seizing control of the browser software of any
> PC that tapped into that page. At that point, the hackers
> could read or delete an entire hard disk of data files.
> "The consequences of this flaw are as bad as they can be,"
> he said.[..]
The generalized halting problem comes to mind...
Since it can be proved that there's no complete set of heuristics
to tell if a given program has a characteristic (such as "secureness")
then sooner or later someone will discover another security flaw.
A question is whether a simple patch is made or if the set of heuristics
is widened (ie, learn from mistakes) so that similar flaws can be found
based on knowledge of that one flaw.
