From: lady0065@sable.ox.ac.uk (David Hopwood)
Newsgroups: comp.lang.java
Subject: Java security bug, and the Netscape cache
Date: 8 Mar 1996 05:51:33 GMT
Organization: Oxford University, England
Message-ID: <4hoht5$m9b@news.ox.ac.uk>

[this is a copy of an article also sent to RISKS]

More information on the security bug described in RISKS 17.84 - 86, 
which can be used to allow Java applets to load native methods without 
any security restrictions:

The attack normally requires two files to be pre-installed in a directory
readable by the client. However, in a previous article, I mentioned that
it may be possible to automatically load these files into Netscape's cache.
Having done a little more testing, it turns out that this is feasible
under Windows 95 and NT (but not under Unix). This version of the attack
also makes use of a known bug in JavaScript.

In other words, for Netscape on Win32, it is not necessary for any files
to be pre-installed. Applets can run arbitrary code with the permissions
of the user, simply by the user viewing an attacker's web page.

The only reliable way to avoid this bug at the moment is to disable Java -
in Netscape this is done by selecting 'Disable Java' in Options -> Security
Preferences.

David Hopwood
david.hopwood@lmh.ox.ac.uk