[860] in WWW Security List Archive
Re: Java and trojans: any last words before Netscape 2.0 is out?
daemon@ATHENA.MIT.EDU (Larry Masinter)
Wed Sep 20 02:26:15 1995
To: www-security@ns2.rutgers.edu
From: Larry Masinter <masinter@parc.xerox.com>
Date: Tue, 19 Sep 1995 20:25:06 PDT
Errors-To: owner-www-security@ns2.rutgers.edu
> Is there anything to add to this assessment? Are we walking knowingly
> into a significant decrease in the security of the average Internet
> site? Should security-minded sysadmins ban Java and Netscape 2.0 from
> their systems?
I sent this to Prentiss, but perhaps it deserves a wider distribution.
I think that Java has fewer opportunities for trojan horse attacks
than application/msword, and thus the answer to "are we walking
knowingly into a significant decrease in the security of the average
Internet site" is "no" because of the recent introduction of greater
threats.
================================================================
Date: Mon, 18 Sep 1995 02:19:50 -0700
From: Matthew J Brown <mjb@sophos.com>
To: firewalls@greatcircle.com, mjb@sophos.com, ian@virusbtn.com,
jh@sophos.com, benl@mojo.europe.dg.com
Subject: Horrible thought wrt. the Word virus
Sender: firewalls-owner@greatcircle.com
Content-Length: 1522
Driving home last night, I had a sudden thought of the potential
dangers inherent in Microsoft Word, which go far beyond the simple
virus the entire world got so worked up about.
Word Basic is not the simple macro language many of us (including
myself until very recently) have believed. In fact, I am informed by
people I know who have developed in it, a Word Basic program can
access ANY function in ANY Windows DLL. This includes just about any
Windows system function, and, worryingly, WINSOCK.DLL.
Therefore, all you need to break just about anyone's firewall and
internet security is to con somebody into reading a word document of
yours.
The possibilities are pretty limitless, but one possibility would be
to get word to drop a windows executable which acts as a
remote-control for that windows system, connecting out through the
firewall to a remote site where Mr Bad Guy sits.
Or something that looks for local UNIX systems, breaks in through the
syslog hole using sendmail, and drops a worm program in them?
Use your imagination.
Word documents should henceforth be treated *EXACTLY* the same as
executables; they're nearly as powerful, and their operating
environment is damn common.
it's also worrying to think about how many other applications have
data files which are practically executables, and capable of calling
system functions when loaded. A friend mentioned PowerBuilder, for
example; I'm sure there are a *flood* of others.
-Matt, hoping he's being over paranoid, but I don't think so.
----- End Included Message -----
