[7309] in bugtraq
Re: New Java Security Flaw Found
daemon@ATHENA.MIT.EDU (Greg Alexander)
Mon Jul 20 19:10:24 1998
Date: Sat, 18 Jul 1998 16:49:25 -0500
Reply-To: Greg Alexander <galexand@SIETCH.BLOOMINGTON.IN.US>
From: Greg Alexander <galexand@SIETCH.BLOOMINGTON.IN.US>
X-To: Gary McGraw <gem@RSTCORP.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199807172108.RAA09205@violation.rstcorp.com>
Is it appropriate to call a java implementation-related security hole a java
hole? That'd be like calling a bug in pine a bug in internet e-mail.
On Fri, 17 Jul 1998, Gary McGraw wrote:
> Hello all,
>
> Princeton's Safe Internet Programming Team recently announced the
> discovery of a serious Java security hole that can be leveraged into
> an attack applet. Their description follows:
> ------------------------------------------------------------------------
> We have found another Java security flaw that allows a malicious applet
> to disable all security controls in Netscape Navigator 4.0x. After
> disabling the security controls, the applet can do whatever it likes on
> the victim's machine, including arbitrarily reading, modifying, or
> deleting files. We have implemented a demonstration applet that deletes
> a file.
<clip>
Greg Alexander - also <galexand@indiana.edu> - http://sietch.home.ml.org/
----
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
Any sufficiently advanced feature is indistinguishable from a bug.
-- Greg's corollary
