[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Please send cash
Yo Fred, nobody said you wer not right on the money, just that these issues
clearly have fixes and are part and parcel to a pre-adolesencent product,
not a mature one.
Yes, you get two points for posting the bug report, but lose one for
soap-boxing about the woes of the product in general... Keep up the good
work, just drop the proslitizing and we all wouldn't mind hearing your rap.
BTW - If your or your friends are up for a game of speed-chess... I'm
willing, I used to be *rated* until I dropped off the circuit a few years
ago... Winged Benoni, Classical Ruy, or maybe an Accellerated Dragon (for
those who play the black)... I won't even charge you the nominal 5$ fee...
>I just picked this up from the Risks forum:
>> Date: Mon, 30 Oct 1995 16:14:59 -0500
>> From: Drew Dean <[email protected]>
>> Subject: HotJava 1.0 alpha 3 security issues
>> We have found several security problems in the 1.0 alpha 3 release of
>> HotJava from Sun Microsystems. The two most important problems are that
>> HotJava does not enforce the stated limits on where an applet can connect to
>> (an applet can talk to any place with which you have IP-level connectivity),
>> and HotJava is vulnerable to a man-in-the-middle attack, where someone can
>> watch your web-surfing, both seeing your requests, and the content that you
>Two of the Java attacks I outlined in this forum and got abuse for.
>> While HotJava prevents applets from actively opening connections that
>> violate the user-selected security policy, it allows an applet to accept
>> connections from anywhere. At this point, an applet only has to use any one
>> of a number of channels to communicate where it is, and have the remote end
>> do the active open.
>> HotJava also allows an applet to set the proxy servers that the browser
>> uses. This opens up a huge hole for anyone concerned about the privacy of
>> their web surfing.
>Attacks 31-49 work here.
>> Please note that these bugs are specific to the 1.0 alpha 3 release, and are
>> _not_ bugs in the Java language itself, nor do they apply to Netscape 2.0
>> beta 1J, which doesn't permit network connections. We have notified Sun of
>> these problems, and are presently writing a paper on these and other issues.
>> We will make more information available on our Web page after we hear back
>> from Sun.
>Drat - Sun doesn't offer awards.
>> Drew Dean Dan Wallach
>> [email protected] [email protected]
>Inquiring minds want to know.
>-> See: Info-Sec Heaven at URL http://all.net
>Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
T. S. Glassey
Looking Glass Technologies
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----