[33560] in Hotline Meeting
RE:berkeley
daemon@ATHENA.MIT.EDU (John J Morey)
Fri May 17 12:34:40 1996
To: hotline@MIT.EDU
Date: Fri, 17 May 1996 12:34:34 EDT
From: John J Morey <jjmorey@MIT.EDU>
------- Forwarded Message
Received: from PACIFIC-CARRIER-ANNEX.MIT.EDU by po8.MIT.EDU (5.61/4.7) id AA17598; Fri, 17 May 96 12:05:57 EDT
Received: from KUMERA.MIT.EDU by MIT.EDU with SMTP
id AA19793; Fri, 17 May 96 12:05:55 EDT
Received: by kumera.mit.edu (AIX 4.1/UCB 5.64/4.03)
id AA17342; Fri, 17 May 1996 12:09:18 -0400
From: phnelson@kumera.mit.edu
Message-Id: <9605171609.AA17342@kumera.mit.edu>
To: jjmorey@MIT.EDU
Cc: phnelson@kumera.mit.edu, lynch@bc.edu
Subject: JavaScript Problem on berkeley?
Date: Fri, 17 May 96 12:09:18 -0400
Dear JJ,
thanks for your email:
>Hi Peter -
>
>I log'd onto one of our test systems and it does take along time
>for netscape to startup, however I don't understand the 2nd part
>of your mssg:
The time it took to load seemed longer than usual.
The single pixel window was a small window border around a
single pixel. This reminded me of the following email I got
a while ago: the bit in particular is:-
>> Open 1 pixel window and log all URL accesses
which seemed to me to be exactly what happened, but I was
only accessing my own home page which has no javascript
at all!?! I just checked and it doesn't look like anybody
hacked my page - my best guess is that netscape on berkeley
has been modified in some way - but I could be wrong.
the info on the file is:
2545 Mar 12 09:06 pwhots.html
which indicates that it has not been modified since I put
it there! Also I have not had this problem on any other
machine so I don't think it's a problem with kumera but
I'll get Jaqui to check it out for me.
Please let me know what you find out/do about this problem.
- - Thanks
Regards,
Peter Nelson
- ------- Forwarded Message
Received: by kumera.mit.edu (AIX 4.1/UCB 5.64/4.03)
id AA16762; Wed, 13 Mar 1996 10:48:00 -0500
From: phnelson
Message-Id: <9603131548.AA16762@kumera.mit.edu>
To: rutledge@mit.edu, ehwong@mit.edu
Cc: phnelson@kumera.mit.edu
Subject: more on the trouble with java
Date: Wed, 13 Mar 96 10:48:00 -0500
- - ------- Forwarded Message
Received: from cleo.bc.edu by kumera.mit.edu (AIX 4.1/UCB 5.64/4.03)
id AA16044; Wed, 13 Mar 1996 09:00:49 -0500
Received: from cc30.bc.edu (cc30.bc.edu [136.167.2.151]) by cleo.bc.edu (8.6.13/8.6.12) with SMTP id IAA58587; Wed, 13 Mar 1996 08:57:49 -0500
From: Jaqui Lynch <lynch@bc.edu>
To: sec-sig@admin1.bc.edu
Subject: (COPY) Re: Security Vulnerability in <fwd>
Message-Id: <SIMEON.9603130953.A@cc30.bc.edu.>
Date: Wed, 13 Mar 1996 09:04:53 -0500 (EST)
Priority: NORMAL
X-Mailer: Simeon for Windows
X-Authentication: IMSP
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
On Wed, 13 Mar 96 08:31:00 EST MAUREEN D TOUHEY
<TOUHEY@BCVMCMS.BC.EDU> wrote:
>
>
>Copy From: TOUHEY,MAUREEN D <TOUHEY@BCVMCMS.BC.EDU>
>Orig Sent: TUE, 12 MAR 96 18:24 EDT
>Orig From: OWNER-INFSEC-L@ETSUADMN.ETSU.EDU
>Subject: Re: Security Vulnerability in
>
>Received:from VMS.DC.LSOFT.COM by BCVMCMS.BC.EDU (IBM MVS
SMTPV3R1)withTCP;
> Tue, 12 Mar 96 18:20:59 EST
>Received:from PEACH.EASE.LSOFT.COM (205.186.43.4)by
VMS.DC.LSOFT.COM (LSMTP
> for OpenVMS v1.0a) with SMTP id 3EDA8C80 ; Tue, 12 Mar 1996
18:21:50 -0500
>Date: Tue, 12 Mar 1996 19:14:03 -0500
>Reply-To: Information Security List
<INFSEC-L@ETSUADMN.BITNET>
>Sender: Information Security List <INFSEC-L@ETSUADMN.BITNET>
>From: Vin McLellan <vin@SHORE.NET>
>Subject: Re: Security Vulnerability in Netscape 2.0 (fwd)
>X-To: Information Security List
> <INFSEC-L%ETSUADMN.BITNET@UICVM.CC.UIC.EDU>
>To: Multiple recipients of list INFSEC-L
<INFSEC-L@ETSUADMN.BITNET>
>
>>The most recent version of the Netscape web browser,Netscape
Navigator 2.0
>>has several new features and improvements over the previous
versions.
>>Unfortunately, it has been discovered that one of those new features,
>>JavaScript, has introduced a serious security problem.
>>
>>The following problems have been identified.
>>
>> Forge e-mail/steal e-mail address
>> Recursively list local disks
>> Open 1 pixel window and log all URL accesses
>>
>
>Attached is a similar alert -- reportedly forwarded from a Lotus internal
>net -- which was yesterday distributed in the mailing list of the Digital
>Commerce Society of Boston.
> _vbm
>
>--------------------------
>
>Please be aware that potential security exposure has been identified
in
>JavaScript and you should take appropriate precautions.
>
>Subject: Security Advisory
>
>We have identified a serious security exposure in Web Browsers that
support
>JavaScript. The current implementation of JavaScript allow intruders
>unprecedented access to contents of client computers.
>
>In brief, JavaScript is a language used to build small "applets" that are
>interpreted and executed by Web browsers on client computers. An
increasing
>number of Internet websites are building web
pageswithJavaScript.JavaScript
>applets can be programmed to access anything on the client computer
or the
>network file system it is attached to.Access can include forwarding
offiles
>to external sites, and potentially may include erasing files from client
>computer and network file servers. These actions are typically
performed
>without the client computer user's awareness.
>
>The exposure affects all client platforms that have JavaScript enabled
>browsers. Platforms include UNIX, AIX, Windows, and OS/2 running
Windows
>versions of browsers. Web browsers supporting JavaScript include all
2.x
>versions and Beta versions of Netscape Navigator. Remote users
connecting
>through dial-in gateways,LAN connected users,and users
accessingtheInternet
>through security firewalls are all at risk.
>
>Java and JavaScript are distinctly different programming languages.
Java
>language is considered to be relatively secure.JavaScript
isthelanguagewith
>the security risk. Some browsers include an option to disable
Java.However,
>using the option to disable Java does not disable JavaScript.
>
>There are no known ways to disable JavaScript in browsers that
support it.
>
>We will keep you informed of any resolution or
workaroundstothisexposure.At
>this point,we see no alternative other than to ask you
todirectallemployees
>in your units NOT to use any Web browser that supports JavaScript.
>
>
> Vin McLellan +The Privacy Guild+ <vin@shore.net>
> 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
> <*><*><*><*><*><*><*><*><*>
>ALSO: LYNCH,JAQUELINE A <LYNCH@CLEO.BC.EDU> (COPIED BY
TOUHEY)
Jaqui A. Lynch
Manager Systems Services
Information Technology
Boston College
lynch@bc.edu
- - ------- End of Forwarded Message
- ------- End of Forwarded Message
------- End of Forwarded Message
