Article 1691 of comp.lang.java.security: In message <32B7F2E8.D23@lmera.ericsson.se> Exjobb Z/TC Anders Larsson Z/TG writes: > This is a fact: > It is possible for Java applets to cause availability and > annoyance attacks, using the latest released (i.e. non-beta) > versions of Java and Netscape, JDK1.0.2 and NS3.01 > It also seems like Jim Buzbee has managed to detect files on > the users computer, merely by putting an appropriate applet > on the web page. (http://www.nyx.net/~jbuzbee/filehole.html) > This is a disclosure attack. Are there more non-attended > problems concerning integrity and/or disclosure in NS3.01, > JDK1.02? JDK 1.0.2 has had publically-known security bugs for some time (all the bugs found in NS 2.0x also apply to JDK 1.0.2, for example). In the case of NS 3.01, I've signed the standard NDA for Netscape employees, so I can't give any information about that. > I consider it a major problem when so many heavy-weight > companies disable Java completely, not letting Java > connections through their fire walls. Or, are things starting > to clear? Are there no more integrity/disclosure related bugs left, > in NS3.01... except for Buzbee's and what is to come when 1.1 gets > implemented in Netscape? What are your experiences? > Suggested common vocabulary, introduced by Joseph A. Bank, MIT (1995): > Integrity Attacks > Deletion/Modification of files. > Modification of memory currently in use. > Killing processes/threads. I'd categorize killing threads as an availability attack (unless it is part of a larger attack that affects integrity). All the other integrity attacks so far have boiled down to one of two sets of consequences: A. the applet can do anything on the client machine with the same permissions as the browser. B. the applet can connect to arbitrary machines behind a firewall. A normally includes B, i.e. it is a stronger attack. If you have any machines running sendmail or using Microsoft networking behind your firewall, though, B is "enough". > Disclosure Attacks > Mailing information about your machine (i.e. /etc/passwd). > Sending personal or company files to an adversary or competitor > over the network. Another point needs to be added to this: in some cases the attacker and recipient can remain completely anonymous, whereas in others it is possible to trace where the applet came from. > Availability Attacks > Allocating large amounts of memory. > Creating thousands of windows. > Creating high priority processes/threads. These can all be done in HTML (except that threads aren't applicable there), so there isn't much point in worrying about them being possible in Java, IMHO. An interesting denial of service attack is a kind of fork bomb using frames (a page contains two FRAME SRC tags, each of which point to the original page). After a few seconds this causes Netscape and IE to take almost 100% CPU usage. > Annoyance Attacks > Displaying obscene pictures on your screen. > Playing unwanted sounds over your computer. Again, these can be done using plain images, RealAudio, Quicktime, AVI files, etc. David Hopwood david.hopwood@lmh.ox.ac.uk, hopwood@zetnet.co.uk