[4844] in WWW Security List Archive
Re: Latest Java hole is Netscape/Sun only
daemon@ATHENA.MIT.EDU (Jay Heiser)
Tue Mar 18 11:49:07 1997
Date: Tue, 18 Mar 1997 09:49:23 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I'm unaware of any actual exploitation of any of these security bugs.
I think that the glass is not half empty, but is half full instead. The
security experts are finding the holes before they are being used in
attacks.
Certainly this whole idea of executable content represents new areas of
risk, but any new technology does. I submit that its far more
dangerous to spend two hours driving a car than it is to spend two hours
surfing the web. Do you use motor vehicles? If so, you've either
decided to ignore the risks completely, or you've done a personal risk
analysis and made the decision to live with the risk because of the
overwhelming benefits.
I can't do a risk analysis for an individual or a firm without having
some raw data, but my working assumption is that a truly successful
business must take some risks.
All the attention being given to these issues makes the risk appear
overwhelming, but this is a normal reaction to new technology. So far,
computer viruses, missed backups, and corporate staff are still far more
likely to cause damage than a hostile Java applet.
For what its worth, I believe the net needs something like the Java
applet sandbox model that allows anonymous executables to run safely on
any computer. The advantages are significant. Current implementations
have bugs, but perfect security will never be possible. We've never
had perfect security and we deal with it.
Paolo Da Ros wrote:
>
> I have two small points on this long thread:
>
> 1. week after week (or, better, day after day) a new security hole is
> descovered on Java or ActiveX or both;
> 2. I have not yet seen an application written in Java or ActiveX which is
> worth the delta risks it brings in, compared to the delta features it
> has vs those HTML (+ CGI) brings.
>
> Maybe I'm too naif?
--
Jay Heiser, 703-610-6846, jay@homecom.com
Homecom Internet Security Services
http://www.homecom.com/services/hiss
