From: qu'evin <kevin.v@odyssey.on.ca>
Date: Wed, 18 Mar 1998 20:21:14 -0500
Subject: hostile java applets
> PC Magazine -- January 20, 1998
> Filter Out Misbehavin' Java
> Robert P. Lipschutz
> <snip>
i was shocked to read that you posted such an article. java is but one
lanugage interpretted by popular browsers that could be used for an attack.
however, it is probably one of the safest languages for browsers. it does
not allow for any hd i/o, network i/o (other than to the host it originated
from), etc etc... the only attack would be a DoS (by doing some crazy math
computation, opening new windows, etc). this type of attack could be
accomplished by any language though, even javascript or vbscript for IE,
and of course activeX, and any other language which allows for browser
control. in addition, plain html could be used; a prime example is to link
the frame src to itself, thus creating infinite frames ... and in fact,
there exists many more security holes in activeX that do allow for HD
access (i believe you are subscribed to bugtraq so you've no doubt heard of
a few)...
the reason i am writing to you is in hope to educate you about java, and
that of all the languages, it is probably the safest to use. by your
distributing such information to the list (ISN), many users will have the
mis-interpretation that java is an insecure, buggy, risky language to allow
to be run. as you can probably guess, i am a fan of java, but my respect
for it is well founded.
all the best,
qu'evin
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated
Received on Wed Mar 18 19:26:52 1998