Java Security Hole Makes Netscape Into Web Server 236
Baldrson and other folks as well write: "Dan Brumleve is at it again with Brown Orifice. In this episode, our fearless grey hat opens a security hole in the Web's foundation that makes Napster look positively tame by comparison. Be careful with this, kids. It turns your Netscape Web browser into a Web server that can serve up your entire file system to any other Web browser."
AOL purchased NS for ONLY one reason: (Score:2)
He saw KPCB's investment in Netscape going down the shitter and orchestrated the purchased through the leverage his firm had with AOL, another KPCB-sponsored firm.
This happens all the time - how the hell do you think a retarded merger like Excite/AtHome ever got off the ground???
Netscape hasn't been any good for the last 5 years (Score:4)
Now this. Netscape's browser was merely a platform to sell Netscape's server software. They only complained about IE when M$ started giving away IIS with NT - and then got really loud when IE surpassed Communicator in features and support (that's right... M$ might have had a few security leaks to fix, but they usually responded swiftly). Netscape often gets a lot less scrutiny compared to M$' browser, too, I might add.
Netscape sucks. A one hit wonder that now ranks below M$ and others in browser and server software.
Re:So who would run Netscape as root? (Score:1)
Please - explain this procedure.
Re:Except (Score:1)
That doesn't work for me. It says "connection refused" on my Linux box. I believe the script is only listening on my ethernet interface. If I put the IP address of my ethernet interface there, it answers, but then redirects me to the address of my firewall. So, I have to actually change the address that the script thinks it's listening on before it works.
--Joe--
Wow (Score:1)
Re:My preemptive Java-doesn't-suck post (Score:2)
The web server exploit does not rely on Netscape-specific classes. There are two exploits.
Re: Stability ? (Score:2)
Re:This is Netscape's Problem, NOT Java's. (Score:2)
This is exactly what Mozilla is doing - you should try M17 which is about to come out in a couple of days.
the REAL question is... (Score:3)
Seriously, I think the biggest issue will be a non-interactive thing that can be emailed to anyone, instead of this consent-to-opening-form thing. Because netscape is only open for a short time, a real proper exploit would have to make an outbound connection to a preset IP to "check-in" that it's available.
--
Re:Why is exploit being promulgated immediately? (Score:3)
In point of fact, something of this nature has occured as previously documented by Dan. It may not be Christian for Dan to fail to endlessly forgive transgressions and abuses of his trust, but then I thought business was about reciprocal altruism, not simply continuing to do favors for those who demonstrate a track record of abusing your trust.
If the force of law is to apply here, would it not make sense to prosecute the responsible parties at CERT, or wherever, if they abuse the professional courtesy extended them by people from around the world (not just in the United States) since, having been granted a unique position of public trust and authority, the abuse of said public trust and authority (for example, failing to respond as their name "emergency response" would suggest) subjects the global public to far greater dangers than a "premature" disclosure by one grey hat?
The grey hats of the world do not exist for the convenience of flabby and possibly corrupt bureaucrats -- nor should the web users of the world have to wait for the flabby and possibly corrupt bureaucrats to possibly notify their corrupt cronies of exploits so that maximum criminal profits may be extracted, whether through plagerism or direct criminal activity.
Oh, but there I go being paranoid about the government again. ;-)
Re:Strangeness... (Score:1)
Re: (Score:1)
Re: Stability ? (Score:1)
On average, I have Netscape crash about once a day (Win98). I rarely use IE, but that too, crashes about as regularly. I haven't upgraded yet, but a good SysAdmin friend of mine advised me that IE V5.5 is even more unstable, and had huge problems with it when he upgraded his work systems. Can't verify that, haven't used it yet. The only problem I have with Netscape is that often when it crashes, I cannot close the "Netscape has performed an illegal operation...etc... close/details" box, it just reappears every time. Ctrl/alt/del no longer functions after that, nor does the computer shut down properly. Anyone else have this problem? IE occationaly does that to me after crashes, but usually the box closes properly.
The new AOL 6 will still use IE, not Netscape (Score:1)
Re:Read Risks Forum, CERT (Score:1)
(*) Want a good laugh now and then... comp.risk can be a very funny at times....
False Security: The firewall might not help (Score:1)
The demo that everyone's looking at won't work through a firewall because it's deliberately non-malicious. The scary part (for me) is that the Java applet has access to the file system, and I cannot see how a firewall can help if someone decides on a more malicious attack.
Instead of setting up an HTTP server, the applet could simply open an HTTP connection to the original server and start posting files from your hard drive. Applets are allowed to open connections back to the original host.
This is why client-software vulnerabilities are so scary -- the client software usually has the same privileges as you do.
Re:My preemptive Java-doesn't-suck post (Score:1)
The real implementation problem is that Netscape have let their Java implementation wither on the
vine.
Works also with blackdown Java plugin (Score:5)
Every day I raise up thanks for ipchains(8):
ipchains -A input -l -y -j REJECT
Re:That is the stupidest thing I've ever heard. (Score:2)
plunge (cosym@yahoo.com) wrote:
> That's them creating the most important incentive for the
> future of all: the incentive to try to actually produce
> something superior to everything else. Sorry, but that's
> what counts in the end, and that's where things will end
> up when all is said and done.
gargle wrote:
> You're damn right. I'm voting with every click - voting in
> support of a superior product.
Denial of Service wrote:
> I hope you enjoy playing politician while the vast majority
> make choices based upon quality of product.
(1) A lot of techies don't like to believe this, but you are
essentially stuck living in a political world. You're
deluding yourself if you think you can live your life making
"technical" decisions without any political aspect.
(2) Luckily for my side this particular voting process has
proportional representation built-in, so I don't need "the
vast majority". No sane business throws away even 10% of
it's potential market if it can avoid it, so a 90-10 split
between Microsoft and everyone else still leaves room for
standards to win out. At some point -- somewhere above 95%
market share is my guess -- there will be no practical
argument left to shoot down a designer that's itchy to play
with some new toy MS put in the latest IE, and there will be
no pressure left towards standards compliance.
(3) Netscape has far from a perfect record about standards
compliance, but it doesn't matter for this argument, since
I'm not telling you to use Netscape. Lynx, opera, mozilla,
xemacs, whatever. The point is to discourage reliance on
any one single company's proprietary technology (e.g. a
site based on macromedia flash isn't any better than an
IE-only site).
(4) It would be nice to believe that everything boils down
to simple free-market economics, but I've (reluctantly)
become convinced that in the real world, there is no single
simple set of principles that applies universally.
In this particular case, I'm arguing that your conception of
"a quality product" is shallow and short-sighted. When you
buy into a technology, you're getting more than a product,
you're also looking for "services", which means you have to
look to the future and think about everyone's long-term
incentives (as well as look to the past, and think about the
history of the groups involved). In this case, I'm arguing
that the future upgrades you're going to recieve, and the
kind of web you're going to have to deal with will be
compromised by what you're buying into in the present.
Beware of Microsoft bearing gifts. What's hard to
understand about this?
Welps... (Score:2)
I'm guessing it effects Communicator completely in General... and does this mean it's resident in Mozilla too?
Anybody try things the other way yet? (Score:1)
I suppose this works on outgoing connections to; youd could connect to servers other than the one that served up the class file. Anybody try it yet?
This [Client-Client Sharing] could be the Netscape killer app. A killer app to revive the original killer app!
who said this is a bad thing? (well, entirely bad) (Score:4)
Why I dislike IE. (Score:2)
- Each bookmark is stored as a separate file. This means that I cannot have a bookmark with a colon in it, and I cannot manage them easily -- no sorting, no nice tree dialog like in Netscape. Opera is somewhat better in this area, but I still like Netscape's approach the most.
- Virtually no control over cookies. Accept, deny, confirm. That's about it. At least Netscape lets me deny cookies from another server.
- The history interface sucks. Again, every item is stored as a separate file. There is virtually no provision for sorting. Netscape rules this area.
- Crappy Find dialog. No "Find Next" command without first opening the Find dialog and keeping it open. F3 illogically opens the search-for-files dialog. So much for browser and file manager integration...
Hmm... I've been meaning to put this into some kind of comparison table for a while. Maybe this will get me started.--
Re:Customer service (Score:1)
There's little relationship between security notfications for IE at microsoft.com, and netscape.com
netscape.com is another goddam portal.
What are you doing even bothering with it?
Try finding a new home page. It's really quite simple. I would suggest /.
t_t_b
--
I think not; therefore I ain't®
Time to upgrade to Communicator 4.75! (Score:2)
Somewhere people are betting over which finishes first: Mozilla 1.0 release, or wine progressing well enough to run IE reliably.
Shit! This is not the sort of gamble any serious Freenix or UNIX user would want to take....
Re:Mozilla! (off topic, sorry) (Score:1)
Re:That is the stupidest thing I've ever heard. (Score:1)
Re:Except (Score:1)
Whether the sploit works or not, they did leave their IP's up for everyone to see.
My preemptive Java-doesn't-suck post (Score:1)
So attention to all the trolling AC's... If you're going to use this to say "Java Sucks!", please include an alternate method of running untrusted software on your local computer!
Re:Not really a problem (Score:1)
Funny - I was going to say the same about my C++...
Re:What about Communicator? (Score:1)
No, HTML mail will not do this, the exploit uses a specially written java applet to take advantage of a hole in netscape's java implemtation.
You should be running a firewall, anyways. Basicly, unless you're running servers that you want to be accessable over the internet, you should have your firewall set up to block inbound connections (that is, connections from the internet to your network) with the exception of connections that you need to be open for something to work.
If you're concerned about this exploit, you may want to turn off java in netscape untill they release a fix. Netscape's java implementation is quite buggy, anyways, if you want or need java in netscape, look at the java plugin aviabile at The Blackdown Project [blackdown.org].
As a precaution, you may also want to turn off javascript in mail and news, but keep in mind that javascript is not the same thing as java, the two are entirly diffrent.
netscape is obsolete (Score:2)
I still prefer Netscape to IE: with IE, the lack of security is designed in from the ground up (ActiveX etc.). Netscape at least is based on technologies that can be made secure.
For the time being, you just have to turn off Java and JavaScript.
It might also be worth looking at other ways of removing privileges from a running Netscape. Linux chroot, capabilities, various group hacks, LD_PRELOAD, and ptrace, could all be used to detect and prevent undesirable behavior.
Re:NFS (Score:1)
Hehehe. Unless of course, you consider using a firewall and ssh port forwarding. :)
ipfw allow tcp from 12.34.56.78 to $oif 23 setup
ipfw deny tcp from any to $oif 8080 setup
And of course, private ip's on the inside of either firewall can get easy access to your files. :)
---
Re: (Score:1)
JavaScript != Java (Score:1)
--- Never hold a dustbuster and a cat at the same time ---
Ad server plugin? (Score:1)
netscape server obsolete? (Score:3)
and you people mocked netscape. shows you all.
and i guess with mozilla, they'll be able to completely take over my computer, seeing how it will be an entire platform for doing everything...
Don't make money using crap (Score:2)
Re:Netscape hasn't been any good for the last 5 ye (Score:2)
Sorry, but that is incredibly short-sighted. I'm an anti-Microsoft fundamentalist. I don't have any Microsoft products on my machine. But I have to admit that at this moment IE is a better, more stable, more standards-compliant, easier to use browser than anything we've currently got on Linux (except possibly Konqueror [konqueror.org], which I hope to try soon). Mozilla M16 [mozilla.org] is almost as good, but not nearly stable enough.
It's a bad mistake when you're so blinded by your dislike of the opposition that you can't recognise where they actually are doing better stuff than we are.
Re:Great! And what about the BOURLConnection probe (Score:2)
Re:Works also with blackdown Java plugin (Score:3)
That said, thanks for the -y info. I was wondering if I could do that and hadn't gotten around to browsing the man page yet.
Re:Not really a problem (Score:2)
Typical java apps tend to have memory leaks or otherwise cause eventual reboots of the os when used with IE.
Re:That is the stupidest thing I've ever heard. (Score:2)
Case in point: The Mozilla project. If it were not for Microsoft, Netscape would have continued sitting on its ass, churning the 4.x line, and releasing noteworthy enhancements like the "shopping button".
By choosing to use IE, I am placing pressure on the Mozilla team to product a better product on time. Browser statistics send a very clear message - they know that they cannot rely on any sense of charity from the marketplace. Compete, deliver, or die.
MS is a monopoly, and IE is a tool used illegally to further its monopoly. True, but this can be dealt with by anti-trust law. Requiring consumers to choose an inferior product to spite MS is like cutting off the nose to spite the face.
Re:That is the stupidest thing I've ever heard. (Score:2)
> MS makes great software.
Microsoft repeatedly turns out mediocre, buggy products that
get kind-of useable by the third version.
> If you want a share of the
> marketplace, then compete by producing better
> software.
Where have you been? If better software was all it took,
Borland would be the giant of the software industry.
> Stop whining.
No, you can't make me!
> In the end, consumers benefit from competition.
(Which end?)
> Expecting consumers to choose your
> inferior product over a superior product to make some
> kind of political statement is lame and repulsive.
(a) They're not my products.
(b) There are many instances where refusing to respect a
boycott is what's really lame and repulsive. ("I always
buy from the Gap, they make great clothes for a great price!
Oh... they're manufactured by asian women conned into
indetured servitude in Saipan by being told they're getting
jobs in the US? Don't bother me with that politcal crap!")
> Case in point: The Mozilla project. If it were not for
> Microsoft, Netscape would have continued sitting on its
> ass, churning the 4.x line, and releasing noteworthy
> enhancements like the "shopping button".
Right, multiple competing companies are better than just one
defacto-monopoly. A Netscape-dominated web could easily
have become a mess of BLINK tags.
> Compete, deliver, or die.
Extend, embrace, extinguish.
> MS is a monopoly, and IE is a tool used illegally to
> further its monopoly. True, but this can be dealt with by
> anti-trust law.
Have you been paying any attention at all? This isn't
being dealt with by anti-trust law... the government is
busy trying to fight Standard Oil all over again.
In any case, my contention is that consumer boycotts are
more effective in many cases than waiting for government
action. Boycotts work faster and are more reliable,
because of the "proportional representation" effect I
mentioned earlier.
> Requiring consumers to choose an inferior
> product to spite MS is like cutting off the nose to spite
> the face.
I think this is incredibly melodramatic. The "inferior"
products just aren't that inferior (and some of them may not
be inferior at all... if Opera were out for Linux I might
give it a try, and Mozilla is certainly getting there).
Anyway, I have no problems with rewarding the best.
Aren't you arguing for rewarding the worst?
Re:Here's why it works (Score:4)
the enlightening method, from ServerSocket is:
t HostAddress(),
protected final void implAccept(Socket s)
throws IOException {
try {
s.impl.address = new InetAddress();
s.impl.fd = new FileDescriptor();
impl.accept(s.impl);
SecurityManager security =
System.getSecurityManager();
if (security != null) {
security.checkAccept(s.impl.getInetAddress().ge
s.impl.getPort());
}
} catch (IOException e) {
s.impl.close();
throw e;
} catch (SecurityException e) {
s.impl.close();
throw e;
}
}
Basically, you can't easily not do the open, because you need to get the port and host address from the impl attribute of the socket - after telling it to open. I think that a more sound approach would be to make impl flexible enough to do it's dns setup without actually opening.
Anyway though, the upshot is that the current approach requires that we trust the close method on impl. Looking back through the initializers which create impl, I think this is safe, but hard to prove safe. My guess is that the earlier JVM classes did this incorrectly - they trusted s.close instead of s.impl.close. Which is bad; we don't know where s has been.
Junkbuster blocks this? (Score:2)
Re:Netscape hasn't been any good for the last 5 ye (Score:2)
I don't use Windows enough to know if "IE" is better. I have used windows enough to know that Linux is better, and while Netscape is far from perfect, it works well enough on both platforms that I don't understand why anyone would take the trouble to complain (like, yeah, it will crash after a few days of uptime, and yeah, that's mildly annoying, but so what? Generally, any tasks I do with the browser are completed in less than an hour -- and if I want to read a long essay or something, lynx is fine.)
Anyway, there's a really good reason why you shouldn't use "Internet Explorer", no matter how absolutively wounderful it is: you're voting with every mouseclick, leaving trails in the logs of every website you visit, getting us all a little closer to a Microsoft dominated world. When IE on Windows shows up at 95% plus, every dweeb of a web designer is going to insist that there's no point in sticking to any "standards" but Microsoft's.
So, you don't like Netscape, that's fine, go out and find a copy of Opera or something. If you use Internet Explorer, you're being incredibly short-sighted, and you deserve the world you're going to get.
Re:Junkbuster blocks this? (Score:2)
Read Risks Forum, CERT (Score:3)
You need to read Risks if you:
- Use and depend on computers in any but the most trivial way
- Program computers
- Make policy decisions regarding computers
- Operate computers in a way that affects safety (pilot a modern airplane, work in a hospital)
- Use computers in a way that may impact your own safety (flown on a modern airplane lately?)
I think that probably covers most Slashdot readers, which is why I keep posting it here.You might also want to check out the book "Computer Related Risks" by forum moderator Peter G. Neumann ISBN 020155805X. It draws on material from the forum but discusses it in greater depth. You'll find it at all the online bookstores and many local bookstores as well.
Here's a few of my own posts to Risks:
I also recommend that everyone refer regularly to the CERT Coordination Center [cert.org] to read the latest in security advisories and report security problems to them when you find them.Re:Glad I run Netscape from behind a firewall. (Score:3)
warez.slashdot.org [slashdot.org]
enjoy!
You don't have to run Netscape as root to be hurt (Score:2)
Re: Stability ? (Score:2)
It seems more stable on Windows, but, as we all know, IE loads a lot faster and, IMHO, IE just renders the HTML into a nicer-looking document.
Re:not the only problem (Score:2)
Yep, you could. You can not only read/write anywhere, you can also reformat...
While the whole At Ease concept is outdated there are alot of institutions keeping it because they have old hardware and cannot go to OS 9 or they have incapable sysadmins. Especially in K-12 schools.
Linux: Less bugs and stops bugs in other OSs/apps! (Score:2)
Users will always install and run insecure apps. As sysadmin, it's my job to keep the company LAN safe regardless. Well, despite this article, it looks like I'll be sleeping soundly tonight.
Firewalls should be for everyone. Anyone who connects their PC (regardless of what OS it runs) directly to the internet is just a damned fool that deserves what they get. Just remember, "if it connects to the net, it runs firewall SW and nothing else." Put the browsers and napsters and toys behind the firewall.
Re:Not really a problem (Score:2)
Unless you use JNI, or some other kind of native code, a correctly written VM should never crash (though of course, it might *stop*).
holes (Score:2)
Re:Netscape hasn't been any good for the last 5 ye (Score:2)
Then shut your pie hole. Because if you DID use IE for more than 15 mins you'd see the point.
I too was a 'Netscape only' person from version 1 to version 4.72. Netscape simply has becoming worse and worse while IE has become better and better (well, maybe not 5.5 but 5.01 is solid).
There comes a time when getting your work done is more important than supporting some ideal that obviously isn't shared by the actual developers.
That time for me was June 2000. Goodbye Netscape and good riddance.
Use Zone Alarm (Score:2)
Not affected if behind NAT (Score:2)
Re:Not only worse for dynamic html (Score:2)
This is a Java applet, not a Javascript exploit. The fact is that just about any client side scripting has to be implemented perfectly to avoid security problems. This being an imperfect world, I browse with Java and Javascript OFF.
Re:That is the stupidest thing I've ever heard. (Score:2)
Have you been paying any attention at all? This isn't being dealt with by anti-trust law...
Decreased revenues due to open source competition can't be the only thing driving down Microsoft's stock price. It's about 50% off its high before the antitrust rulings.
Re:My preemptive Java-doesn't-suck post (Score:2)
please include an alternate method of running untrusted software on your local computer!
http://vrml3d.com/open/#name5 [vrml3d.com]
This is only a very small beginning. We need much more work in this area. We need small, fast, secure VMs that can run *any* language on *any* machine. EiC comes close to meeting the any machine part, but not the any language part.
Re:Time to upgrade to Communicator 4.75! (Score:2)
talking about *heh* Netscrape's *heh* server...
Once Microsoft have 95% or so of the browser market, and non-MS browsers are obscure enough to ignore, what makes you think they won't "embrace and extend" HTTP? They're doing the same to HTML already, with proprietary tags.
Eventually we may be using some DCOM-based proprietary protocol to download web pages as Microsoft
Slashdot is a good beta test site for a crack (Score:3)
I think you can do anything you want with (Score:2)
I know it's offtopic - only to try to clarify a point thats been posted.
Reading your IP as you download the server? (Score:2)
Further, all I saw was "Permission denied" on any place I tried to read.
So - my first question - how did the browser know what my REAL IP was behind the NAT box? Did they configure it into the browser before I down-loaded it? Further, are they recording said IP's for later exploits????
I'd guess if you are behind a firewall or NAT box that won't do them much good....which is a "good thing."
Anyway - maybe one should think twice before downloading and trying this "exploit."
My
doesn't work for me (Score:2)
in fact, none of the links work.
Am I doing something wrong?
Is this Java Security Model or Implementation? (Score:3)
Obviously non-sandboxed scripting languages like Javascript and ActiveX are a different kind of risk, and simply can't be trusted.
not the only problem (Score:2)
The MS Word crack I stumbled upon I found was even worse; search for a file, and you can get read access to files in the same directory [which is supposedly secure] with an open menu dialogue. You can even open the passwd file from a remote At Ease server volume!! Though its a bin file, parts of it are readable.
However I think they cleared this up in the current version of At Ease.
Re:Netscape hasn't been any good for the last 5 ye (Score:2)
If Microsoft attained their standing and wide-spread domination via anti-competative means, fine, but you can't blame consumers for using what they like best. That's them creating the most important incentive for the future of all: the incentive to try to actually produce something superior to everything else. Sorry, but that's what counts in the end, and that's where things will end up when all is said and done.
The Headline you don't want to see... (Score:2)
Customer service (Score:2)
Say what you will about M$/IE, but if a bug like this gets reported for Internet Exploder, you can bet your ass they'll post at least a notification (if not a workaround or patch) on their site faster than you can say "class action lawsuit."
Netscape? Netscape.com is too busy telling me about the new cute chick flick "Coyote Ugly" and checking my stocks. I'm one click away from the "Security" section of Microsoft.com. On Netscape.com, I am one click away from sports scores.
I used to be a really big fan of Netscape, but they just keep screwing up. I swear, I want to like them...
======================================
Re:Strangeness... (Score:3)
Be careful! (Score:2)
I ran the applet, and my portsentry has caught 9 people in less than 20 minutes trying to connect to my 'puter. Just a heads up to those other curious people out there.
Portsentry Log
965533382 - 08/05/2000 23:43:02 Host: ppp-121.tnt-1.ind.smartworld.net/64.71.16.121 Port: 8080 TCP Blocked
965533409 - 08/05/2000 23:43:29 Host: c1102499-a.mntp1.il.home.com/24.22.238.125 Port: 8080 TCP Blocked
965533665 - 08/05/2000 23:47:45 Host: cx1009234-b.lbbck1.tx.home.com/24.15.153.5 Port: 8080 TCP Blocked
965533766 - 08/05/2000 23:49:26 Host: bluewhale-ext.nus.edu.sg/137.132.2.110 Port: 8080 TCP Blocked
965533960 - 08/05/2000 23:52:40 Host: adsl-151-203-192-148.bellatlantic.net/151.203.192
965534057 - 08/05/2000 23:54:17 Host: dialupB214.dlth.uswest.net/207.109.199.214 Port: 8080 TCP Blocked
965534280 - 08/05/2000 23:58:00 Host: dsl-209-162-218-233.easystreet.com/209.162.218.23
965534282 - 08/05/2000 23:58:02 Host: Station06.DSFM.MB.Ca/204.112.25.16 Port: 8080 TCP Blocked
965534422 - 08/06/2000 00:00:22 Host: koyk-u5.cisco.com/171.69.66.107 Port: 8080 TCP Blocked
Re:Unbelievable,... or not? (Score:3)
So are you a troll, or just ignorant?
Last time I checked Bugtraq there were a whole bunch of people searching through all sorts of open source software for holes, and reporting them.
Last time I looked at www.openbsd.org, it had done a thourough review of any potential security holes in their open source operating system.
And last time I checked, neither the Netscape 4.x browser nor its Java component were Open Source.
Steven E. Ehrbar
Re:Wow (Score:3)
Re:Except (Score:2)
They seem to work incorrectly if you're behind a firewall, since the script picks up the IP of the firewall rather than of your machine, and so the server redirects you incorrectly if you do manage to get it to answer.
I haven't had time yet to determine how it behaves if I manually "configure" it, and I don't care to run it at all on my firewall. (I'm curious, not st00pid.)
--Joe--
Overloading and security (Score:2)
public void somemethod(){
if (evil_attacker) throw new SecurityException();
do_sth_useful();
}
won't get you too far, if the attacker has access to source code, and overloads the method with a version without security checks. Since Java applets can extend java.* classes and the code for them comes with the latest JDK, it was just a matter of time until someone figured this out, and created an exploit.
The easy solution is not to allow unknown code (applets) to replace (overload) system library code. Let applets only extend java.lang.Object or other classes from an Applet, and you're done.
Re:Not really a problem (Score:2)
Great! And what about the BOURLConnection probelm? (Score:2)
But Brumleve describes another problem with BOURLConnection and BOURLInputStream that allows the applet to read local files. Can someone help us with that one also?
Cheers,
--Neal
Which Netscape and/or IE versions are affected? (Score:2)
Ha (Score:2)
Re:Works also with blackdown Java plugin (Score:5)
Also, the exploit uses classes from netscapes java40.jar (netscape.net.URLConnection and netscape.net.URLInputStream), these classes are *not* available in the plug-in.
Juergen
--
Juergen Kreileder, Blackdown Java-Linux Team
http://www.blackdown.org/java-linux.html
JVM'01: http://www.usenix.org/events/jvm01/
Re:Not really a problem (Score:5)
Re:Glad I run Netscape from behind a firewall. (Score:2)
Wow! I found shitloads of pr0n and warez on that first one! Hey thanks!
Re:Netscape is having its troubles... (Score:2)
--
Chaosnetwork [chaosn.com]
Re:Netscape hasn't been any good for the last 5 ye (Score:2)
You're damn right. I'm voting with every click - voting in support of a superior product.
Not really a problem (Score:4)
A Java based exploit can turn netscape browser into a server.
That oughta last about 3 seconds until Java locks up the netscape process.
Most Windows people have no idea how pathetically unstable Java for linux is.
Re:netscape server obsolete? (Score:2)
I put a Mozilla entry in my lilo.conf once... no one has gotten the joke yet.
That is the stupidest thing I've ever heard. (Score:5)
What a colossal load of absolute crap. First off, I am as pro-open source as anyone else, but this type of fanaticism makes me sick. You're telling me I should use a product that has been essentially forgotten by its creators to further political goals? No frigging way. I loathe Microsoft for everything they stand for, and I don't trust their product as far as I can throw it, but there is no damn way I will use a substandard product just to spite them. I run a weblog and ditched Netscape after losing my seventh article due to an unexpected and completely random bail, so if by switching to a clearly superior product that actually matters to its developers I am nurturing the tool of Satan, then I'm happy to do so.
It's ridiculous statements like yours that give OSS proponants a bad name, because by your own admission, quality of product has absolutely no meaning as long as you're screwing Bill in the process. Since when do OSS pundits argue for the purchase of commercial software like Opera? Sounds like pure politics to me. And guess what, I do develop for IE more than anything else simply because the viable alternatives either expect me to shell out hard earned cash I don't have, or have neglected the product to the point of borderline uselessness. Opera makes a great browser that nobody will ever know about because it's commercial software with free alternatives.
Netscape's outright loss in the web browser war has less to do with Microsoft's monopoly than it does AOL's complete neglect of a once desirable product, and if NS6 PR1 is any indication, nothing has changed. Standards compliance means precisely jack if the damn thing is slow, crashy or just plain unusable for any combination of reasons.
I hope you enjoy playing politician while the vast majority make choices based upon quality of product.
The Napster replacement...and just in time! (Score:2)
Potential Linux-User Mail Virus (Score:2)
(of course, us Mutt or Elm users are still safe *grin*)
--
FRED MOODY SAYS... (Score:2)
Re:Works also with blackdown Java plugin (Score:2)
Having said that, I wish there was a way to make the Blackdown Java Plugin replace the JVM that Netscape ships.
Here's why it works (Score:5)
The first problem is that Netscape's SecurityManager does not throw a SecurityExecption when the BOServerSocket constructor creates a java.net.ServerSocket. Here's the exception thrown in IE:
*******************************
com.ms.security.SecurityExceptionEx[BOServerSoc
at com/ms/security/permissions/NetIOPermission.check
at com/ms/security/PolicyEngine.deepCheck
at com/ms/security/PolicyEngine.checkPermission
at com/ms/security/StandardSecurityManager.chk
at com/ms/security/StandardSecurityManager.checkList
at java/net/ServerSocket.
at java/net/ServerSocket.
at BOServerSocket.
at BOHTTPD.init
at com/ms/applet/AppletPanel.securedCall0
at com/ms/applet/AppletPanel.securedCall
at com/ms/applet/AppletPanel.processSentEvent
at com/ms/applet/AppletPanel.processSentEvent
at com/ms/applet/AppletPanel.run
at java/lang/Thread.run
***********************************
After the ServerSocket is created, a SecurityException _is_ thrown whenever the BOServerSocket calls implAccept, but this Exception is easily caught. Also, by the time the Exception is thrown, the damage is already done. Here's the Exception:
************************************
netscape.security.AppletSecurityException: security.Couldn't connect to '127.0.0.1' with origin from '216.61.198.249'.
at java.lang.Throwable.(Compiled Code)
at java.lang.Exception.(Compiled Code)
at java.lang.RuntimeException.(Compiled Code)
at java.lang.SecurityException.(Compiled Code)
at netscape.security.AppletSecurityException.(Compil
at netscape.security.AppletSecurityException.(Compil
at netscape.security.AppletSecurity.checkConnect(Com
at netscape.security.AppletSecurity.checkConnect(Com
at netscape.security.AppletSecurity.checkConnect(Com
at netscape.security.AppletSecurity.checkAccept(Comp
at java.lang.SecurityManager.checkAccept(Compiled Code)
* at java.net.ServerSocket.implAccept(Compiled Code)
at BOServerSocket.accept_any(Compiled Code)
at BOHTTPD.run(Compiled Code) at java.lang.Thread.run(Compiled Code)
************************************
So, to recap: 1) Netscape does not throw a SecurityException when a ServerSocket is created in BOServerSocket., and 2) the connection is made by the time the exception is thrown in ServerSocket.implAccept().
#1 is Netscape's fault. They haven't implemented their security policies correctly, specifically that a ServerSocket can't listen on a port in an unsecure applet. #2 is definately Sun's fault because the SecurityException can easily be circumvented by overloading Socket.close().
Bravo to the grey hat for finding this!
Re:So who would run Netscape as root? (Score:3)
enough to do that, right? Well... maybe Red Hat users.
Actually, netscape is used as the UI to a number of sysadmin utils including up2date. (And, yes, it does run netscape as root.)
NFS (Score:3)
Re:Netscape hasn't been any good for the last 5 ye (Score:2)
oh damn! (Score:2)
Re:My preemptive Java-doesn't-suck post (Score:2)
Huh? What is "untrusted software"???
Do you "trust" code you find on rpmfind.net?
Do you "trust" code you download from sourceforge?
There is no such thing as "trusted" and "untrusted" code, so get over it. The closest you are going to come is open source, where the chances of a whistleblower making a call on bad software is substantially higher.
As for alternate methods for running so called "untrusted" code, there are many approahces outside of sandbox models, including ML's proof-carrying approach (yes, I actually read one of the essays Tom7 keeps linking to).