[4837] in WWW Security List Archive
RE: Latest Java hole is Netscape/Sun only
daemon@ATHENA.MIT.EDU (Paolo Da Ros)
Mon Mar 17 18:29:50 1997
Date: Mon, 17 Mar 1997 18:32:46 +0100
To: www-security@ns2.rutgers.edu
From: Paolo Da Ros <daros@cryptonet.it>
Cc: netsales-it@cryptonet.it, nt-security@cryptonet.it,
unix-security@idea.sec.dsi.unimi.it
Errors-To: owner-www-security@ns2.rutgers.edu
I have two small points on this long thread:
1. week after week (or, better, day after day) a new security hole is
descovered on Java or ActiveX or both;
2. I have not yet seen an application written in Java or ActiveX which is
worth the delta risks it brings in, compared to the delta features it
has vs those HTML (+ CGI) brings.
Maybe I'm too naif?
>Return-Path: <owner-www-security@ns2.rutgers.edu>
>From: Thomas Reardon <thomasre@microsoft.com>
>To: "'bve@quadrix.com'" <bve@quadrix.com>
>Cc: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
>Subject: RE: Latest Java hole is Netscape/Sun only
>Date: Sun, 9 Mar 1997 18:46:09 -0800
>Encoding: 52 TEXT
>Sender: owner-www-security@ns2.rutgers.edu
>Errors-To: owner-www-security@ns2.rutgers.edu
>
>Believe me, this last week has taught us some painful lessons. We'll
>try to articulate an overall policy, both in terms of technical reviews
>but also public education and annoucements, this coming week. I use the
>phrase 'overcommunicate' around here, and I think folks are starting to
>grasp it.
>
>-Thomas
>
>>-----Original Message-----
>>From: bve@quadrix.com [SMTP:bve@quadrix.com]
>>Sent: Sunday, March 09, 1997 6:21 PM
>>To: Thomas Reardon
>>Cc: www-security@ns2.rutgers.edu
>>Subject: Re: Latest Java hole is Netscape/Sun only
>>
>>
>> From: Thomas Reardon <thomasre@microsoft.com>
>>
>> just a quick note that the VM bug affects only Netscape and Sun
>> implementations. that means IE for Windows is ok, but IE for Mac (Sun's
>> VM) is vulnerable. we're off the hook for once this week ;)
>>
>> -Thomas Reardon
>> Microsoft
>>
>>You know, the most interesting things about this latest Java bug are:
>>
>> 1) Sun discovered it themselves -- not some outside party -- during a
>> "regular security review".
>> 2) In part due to #1, the patches have already been released.
>> 3) Sun ANNOUNCED THE PROBLEM to all major venues. This is probably the
>> most important distinction. I give a company credit when they
>> announce their problems, along with the fixes. MS is notorious for
>> hiding their problems, until someone makes them speak up.
>>
>>Please understand that I am *not* trying to slam MS for this!!!
>>I am instead attempting to point this out as an example to be followed.
>>Mr. Reardon, if you can make *anyone* at MS listen to you, tell them to be
>>forthcoming with problems, so that we may all protect ourselves ASAP. Stop
>>trying to play "holier than thou" with security. As you've found out this
>>week
>>(and as I think you've said in the past) no software is bug-free. I'm not
>>going to shoot MS for having a bug. I'm going to shoot them for all the
>>games
>>they play with their holes, and others....
>>
>>
>> -- Bill Van Emburg
>>Phone: 908-235-2335 Quadrix Solutions, Inc.
>>Fax: 908-235-2336 (bve@quadrix.com)
>>Check out http://yourtown.com! (http://quadrix.com)
>> "You do what you want, and if you didn't, you don't"
>
>
