[4111] in bugtraq
Re: "New" Java hole
daemon@ATHENA.MIT.EDU (Alan Cox)
Fri Feb 28 22:42:16 1997
Date: Fri, 28 Feb 1997 00:55:43 +0000
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: gem@RSTCORP.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199702272135.QAA05445@rstcorp.com> from "Gary McGraw" at Feb 27,
97 04:35:39 pm
> that helps educate Web users about the risks of executable content,
> that's good. If it stirs up unnecessary panic, that's bad.
The java based attacks are the minor ones on the whole. The javascript ones
are bad because they include stuff that is worrying beyond simple mail
address grabbing you can mailbomb people. Worse you can embed javascript
in news articles and get netscape users executing it, or in junk mail.
I expect very soon to see content-type: text/html spams that open a window
on their web site. However the same thing allows you to make tons of people
all access random ports on a victims host and have a big chunk of usenet
readers bombing a victim for no apparent reason.
Finally even simple HTML can cause problems. This one is great with NT
web client users
<IMG src="locahost:153" alt="" height=1 width=1 align=left>
Alan
