Autor: Romuald Zylla, Lodz Tech.Univ. Poland (zylla_at_lodz1.p.lodz.pl)
Data: Wed 15 May 1996 - 20:10:25 MET DST
Dla osob uzywajacych Netscape 2 i nowszych moze sie przydac
ta informacja. Inne osoby moga wyrzucic po przeczytaniu naglowka.
Wysylam poniewaz nie zauwazylem tego ostrzezenia na polskich listach.
Przepraszam tych uzywajacych modemu z domu - material jest dlugi.
Romek
============================================
From: Piotr Walczak <piwa_at_loxinfo.co.th>
Organization: Best Computer Clinic
X-Mailer: Mozilla 2.0 (Win95; I)
Mime-Version: 1.0
To: cefe1_at_loxinfo.co.th, "Ian Glynn Halstead, Cairn Energy Far East"
>From festival_at_cybergate.net Fri May 10 18:48:11 1996
Received: from nemesis.cybergate.net by nadc.nadc.navy.mil via ESMTP
(950215.SGI.8.6.10/940806.NAWC-AD)
for <dashiell_at_nadc.nadc.navy.mil> id SAA01373; Fri, 10 May 1996
18:47:56 -0400
Received: (from bin_at_localhost) by nemesis.cybergate.net (8.6.12/8.6.12) id
SAA13271 for dashiell_at_nadc.nadc.navy.mil; Fri, 10 May 1996 18:46:26 GMT
Date: Fri, 10 May 1996 18:46:26 GMT
Message-Id: <199605101846.SAA13271_at_nemesis.cybergate.net>
From: mshea47_at_aol.com
To: festival_at_cybergate.net
Subject: Fwd: Netscape JAVA problem AND VIRUSES
Status: R
>URGENT! URGENT! URGENT! URGENT! URGENT! URGENT!
>WHAT IS THE PROBLEM -- A hostile Java applet is stalking the World Wide
>Web. It is a Black Widow Java called JAVA. Princeton University
>Researchers have found hostile java applets on the World Wide Web. They
>reside on web sites set up with a malicious intent, and are downloaded and
>executed automatically when an innocent user visits that site.
>WHAT IT COULD DO -- These Java applets are programs that can destroy
>data on your hard drive and and interfere with our network. They may even
>upload sensitive material to a third party.
>WHO DOES THIS APPLY TO -- This applies to all users using Netscape
>Navigator 2.0 or Netscape Navigator 2.01.
>HOW TO PROTECT YOURSELVES -- The Computer Emergency Response Team >(CERT)
staff recommends disabling Java in Netscape Navigator 2.0 or Netscape
>Navigator 2.01 until patches are available.
>WHEN SHOULD THIS BE DONE -- AS SOON AS POSSIBLE!!!!
>INSTRUCTIONS ON DISABLING JAVA IN NETSCAPE
>1. Open Netscape Navigator.
>2. Pull down the Help menu.
>3. Click on About Netscape.
>4. Check to see if you have version 2.0 or 2.01. If so, continue with
> the next step. If not, then you can not be effected by the Hostile Java.
>5. Pull down the Options menu.
>6. Click on Security Preferences.
>7. Under General, place a "X" in the Disable Java and the
> Disable Java Script box in the Java window.
>This is a short term solution. The Helpdesk is in the process of testing
>Netscape Navigator 2.02, which is suppose to contain the fix, as a permanent
>solution.
---------------------
Forwarded message:
From: cochrane_at_tis.com (Pam Cochrane)
To: mshea47_at_aol.com
Date: 96-05-10 11:51:20 EDT
We have discovered a serious security problem with Netscape Navigator's 2.0
Java implementation. (The problem is also present in the 1.0 release of the
Java Development Kit from Sun.) An applet is normally allowed to connect
only to the host from which it was loaded. However, this restriction is not
properly enforced. A malicious applet can open a connection to an arbitrary
host on the Internet. At this point, bugs in any TCP/IP-based network
service can be exploited. We have implemented (as a proof of concept) an
exploitation of an old sendmail bug.
If the user viewing the applet is behind a firewall, this attack can
be used against any other machine behind the same firewall. The
firewall will fail to defend against attacks on internal networks,
because the attack originates behind the firewall.
The immediate fix for this problem is to disable Java from Netscape's
"Security Preferences" dialog. An HTTP proxy server could also
disable Java applets by refusing to fetch Java ".class" files. We've
sent a more detailed description of this bug to CERT, Sun, and
Netscape.
A second, also serious, bug exists in javap, the bytecode
disassembler. An overly long method name can overflow a stack
allocated buffer, potentially causing arbitrary native code to be
executed. The problem is an unchecked sprintf() call, just like the
syslog(3) problem last year. Many such bugs were in the alpha 3
release's runtime, but were carefully fixed in the beta release. The
disassembler bug apparently slipped through. This attack only works
on users who disassemble applets. The fix is to not run javap until
Sun releases a patch.
Note that we've only had success in exploiting the first flaw on an SGI.
Windows 95 and DEC Alpha versions of Netscape have other bugs in their
socket implementations that make it harder (although not necessarily
impossible) to exploit the problem. This is the second time that unrelated
implementation bugs have prevented us from demonstrating security problems
in Java.
http://www.cs.princeton.edu/~ddean/java will contain more information
soon, including a revised version of our paper, to appear in the 1996
IEEE Symposium on Security and Privacy.
Drew Dean <ddean_at_cs.princeton.edu>
Ed Felten <felten_at_cs.princeton.edu>
Dan Wallach <dwallach_at_cs.princeton.edu>
Department of Computer Science, Princeton University
For more information, please contact Ed Felten, 609-258-5906, FAX
609-258-1771.
- ------- End of Forwarded Message
>From coxe Thu Mar 28 16:03:06 1996
It has come to our attention that viewing JAVA enhanced WEB pages may
have some severe security risks. Because of this we are asking that
all users disable JAVA support on their WEB browsers.
Netscape 2.0 users can find this option under:
Options -
Security Preferences -
Disable JAVA.
Netscape 1.22 users do not need to do anything as this version does
not support JAVA.
If you have any questions or concerns please E-Mail SysAdmin.
Enclosed is a copy of a CNN post regarding the potential problem.
Russ Coxe
coxe_at_tis.com
<><><><><><><><><>
SUN MICROSYSTEMS ADMITS FLAW IN JAVA
March 25, 1996
Web posted at: 9:30 a.m. EST
NEW YORK (CNNfn) - Princeton University researchers have discovered a
major flaw in Sun Microsystems' popular Java software, allowing
hackers to destroy files or damage any personal computer that uses
Netscape Communication Corp.'s Navigator Web browser.
Sun logo The Wall Street Journal reported Tuesday that Sun admitted to
the "serious bug," which the company said it plans to soon fix.
Mountain View, Calif.-based Sun originally touted Java as a secure
language, but the latest discovery follows at least two other similar
findings.
According to Princeton researchers, the latest problem would allow
inventive hackers to boobytrap a Web page on the Internet.
When a user searched the page, the hacker could seize control of the
consumer's PC and read or delete hard drive files. "The consequences
of this flaw are as bad as they can be," said Edward Felton, a
Princeton assistant professor.
Researchers say Netscape Navigator, the world's most popular
Web-browsing software, is vulnerable because it uses Java. Java allows
a Web browser to create tiny programs that transfer data from the Web
to a PC.
The issue of Web security plays a paramount role in opening the
Internet to new users who might feel uncomfortable transferring
personal information and credit card numbers without security
guarantees.
The Journal said researchers notified Sun of the latest problem on
Friday. A company spokeswoman said Sun is testing a remedy to the flaw
and will distribute it to Netscape and other Java users in about two
days.
A Netscape spokesman said the company will in turn distribute updated
versions of the company's Web browser to customers. "We plan to fix it
and get it out to our customers as fast as we can," Jeff Treuhaft, a
Netscape product manager, told the newspaper.
Separately, the Journal reported that Sun will introduce products
Tuesday designed to service so-called "intranets." Intranets are
Internet-like entities that let companies create inter-office Web
pages and use electronic mail. An intranet site is not accessible from
outside the company without special authorization.
The newspaper said Sun, a fast-growing maker of workstations and
servers that build Web sites, will offer companies a range of products
from a kit used to write the company's Java programming language to a
Web-page publishing kit.
Steve Milunovich, an analyst at Morgan Stanley, told the Journal that
Sun is probably entering the intranet market to boost sales of its
mainline workstations and computer network servers.
// EOJ
jude <dashiell_at_nadc.nadc.navy.mil>
Q: What's the difference between a used car salesman and a used computer
salesman?
A: The used car salesman knows when he's lying to you.
To archiwum zostało wygenerowane przez hypermail 2.1.7 : Tue 18 May 2004 - 12:43:59 MET DST