[3700] in WWW Security List Archive
Re: FW: virus on the internet
daemon@ATHENA.MIT.EDU (Hugh McNeill)
Wed Dec 4 18:02:31 1996
Date: Thu, 5 Dec 1996 09:29:25 +1300
From: hmcneill@tssc.co.nz (Hugh McNeill)
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> Is anyone familiar with this WARNING???
Looks like a panic reaction. Combination of the classic "GOOD TIMES" myth
and someone getting hot under the collar about well known security
problems with java.
> Is it authentic?
Partially. The email scaryness and hype are all trash. The only way you can
be attacked is if you view mailed or posted HTML or URL's from java enabled browsers
on systems that the hacker can guess some things about. Note that it eventually
states that it is a java problem and that is the essence of the whole thing.
By exploiting a hole in java security, it is possible to trace the HTTP
activity of a browser. The applet is killed when the browser terminates (if not
before) and will not restart until the browser visits another infected page.
By exploiting another hole, it may be possible to send this information
to a site different from the infected page.
By exploiting another hole, on some systems, it may be possible to modify
local web pages that the user has write access to, and insert something like
<applet://hacker.nasty.com/nastyapp>
> What are the remedies?
1) Get the most recent official release of your favorite browser. These are
known bugs, fixed in later releases.
2) Turn OFF java AND javascript. There are some interesting interactions
available even between certified java apps and other things. There is little
of real value in java yet anyway, mostly just flashy eyecatchers.
More info for starters at
http://www.cs.princeton.edu/sip/News.html
Note that the above info is my understanding of what I read on the
internet and does not represent anything by anyone official, even if
it sounds the same as what they say.
HM
