[1947] in WWW Security List Archive
Re: Java/Netscape security holes: hole du jour and summary
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Wed May 1 13:07:05 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: jsw@netscape.com, www-security@ns2.rutgers.edu
Date: Wed, 1 May 1996 09:33:01 -0500 (CDT)
Cc: david.hopwood@lady-margaret-hall.oxford.ac.uk
In-Reply-To: <31871F77.305F@netscape.com> from "Jeff Weinstein" at May 1, 96 01:23:19 am
Errors-To: owner-www-security@ns2.rutgers.edu
> From jsw@netscape.com Wed May 1 03:26:18 1996
> Date: Wed, 01 May 1996 01:23:19 -0700
> From: Jeff Weinstein <jsw@netscape.com>
> Organization: Netscape Communications Corp.
> To: Prentiss Riddle <riddle@is.rice.edu>
> Subject: Re: Java/Netscape security holes: hole du jour and summary
>
> > Note that Netscape Navigator 3.0b is out now, with no indication that
> > Java holes found in 2.01 have been closed in 3.0b. See:
> >
> > http://www.mcom.com/comprod/products/navigator/version_3.0/index.html
> > http://home.netscape.com/eng/mozilla/3.0/relnotes/unix-3.0b3.html
>
> If you look at Hopwood's web site now, you will see that the bug in
> question is actually fixed in PR2.
That's good news!
However, I think it's a shame that users of and administrators of sites
using Netscape Navigator have to rely on third parties like Hopwood to
keep track of Java and Javascript security holes. I'd feel much better
if the release notes for each version of the Navigator included a
forthright discussion of known or suspected security problems and if
necessary included the advice to turn off Java and Javascript when
viewing non-trusted pages. As of 5/1/96, I still don't see any such
warning on the Navigator 2.01 Release Notes page, where several known
Java holes are presumably still in effect.
I also note that Hopwood has not sounded the all-clear on Atlas PR2 (aka
Netscape Navigator 3.0b) yet:
http://ferret.lmh.ox.ac.uk/~david/java/
Atlas PR2 has a workaround which prevents both implementations of
the native code attack described here. However, IMO it does not fix
the specific underlying problems (of which there are several) which
allowed those attacks to succeed. That is why I recommend that Java
should be disabled in PR2.
If Netscape feels that Hopwood's advice is unwarranted, the proper
response would be to debate the facts of the matter in an open forum
(such as the www-security list).
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Opinions expressed are not necessarily those of my employer.
