Java Security Risks

A number of computer security specialists have some advice for fans of Java and JavaScript -- the hot, heavily hyped tools that put the spit and pop on the World Wide Web.Turn it off, before you hurt yourself.It is an unpopular opinion. Asking several million users of Netscape Navigator to give up their Java-enhanced Web pages is a lot like asking people to go back to black and white television. Java is supposed to help make the Web truly interactive. Java-based software applications will allow TV programmers to send interactive Web content in real time simultaneously with video feeds over the Internet, for example, for those who care about such things. But most current applications are tiny. Little Java applications, known as applets, are everywhere. Before Java, a designer could put a picture of a bear on the Web. Now, a programmer can write an applet and put a singing, dancing bear on a Web page.The problem is, that same singing, dancing bear can be programmed to crash your computer, steal your personal information and passwords and cover its tracks when it leaves.Netscape and Sun Microsystems, the two companies with the most riding on Java, have reacted aggressively and responsibly in the past when security "bugs" have been diagnosed from the outside, fixes have been available, for free, within days.But they have been relatively quiet lately as questions have been raised about Java "features" being exploited by hackers. Last week, Online Business Consultants Inc., which caters to high-paying business customers, issued an all-points bulletin on the Internet calling Java "a deadly Black Widow on the Web." "Don't trust Java online," was the OBC message. "That's the message from computer and Internet security watchdogs, in response to reports that 'hostile' Java applets are stalking the WWW. These malicious applets can destroy data, interfere with corporate communications networks, and gain access to sensitive data."The report caused scarcely a ripple in the media, even with the doomsday warning that "countless millions of World Wide Web users have no idea they are at serious risk." OBC said neither Sun or Netscape would comment on its report. One of the reasons OBC may have been ignored, according to Josh Quittner, an editor at Pathfinder, Time/Warner's mega-site on the Web, is that OBC's main source, the National Computer Security Association, has a reputation for being alarmist."I've yet to hear of any damage by a rogue Java applet and think this is wildly overblown," said Quittner in an e-mail message. "'Course, I've been wrong before."On the other hand, the folks at HotWired, the electronic arm of the Wired magazine publishing empire, apparently take the problem seriously. An inquiry there brought back the response:"Yes, we do know of this, you can disable Java through your Security Preferences in Netscape (which I do.)"So what's a poor home cybernaut to do?"I knew there were problems with Java, but I had no idea they were this bad," said Dave Lefter, head of Advanced Publishing and Design, a Web publishing company in Connecticut. Lefter is polishing a new commercial Internet site with the domain name "ctevents.com." Scheduled to open late this month, the site will feature hundreds of discussion areas for Connecticut residents on the Web and up-to-date listings of community goings-on around the state.Lefter has disabled Java on his own browser.Web worrywarts can evaluate the danger for themselves, if they don't mind using their computers as the equivalents of crash-test dummies. Mark LaDue, a PH.D. candidate at Georgia Tech's School of Mathematics with experience in computer security, has put up a "Hostile Applets" Home Page (http://www.math.gatech.edu/~mladue/HostileApplets.html) to demonstrate some of the milder havoc a misanthropic programmer can wreak."Far too many people are simply interested in pleasant little applets that do cute and friendly things," said LaDue. "A lot of serious security people have entirely written off applets as unsafe."We hear announcements that applets have done this, and Sun and Netscape have fixed everything once again, but we never get to see many real examples. I put up my collection of hostile applets to call attention to this situation. You can see them, play with them, tinker with the source code and see how easy it is to create your own. That might make the Web a little unsafer for a while, but in the longer term it should make it safer -- either browsers will be made more secure, or people will steer clear of applets."LaDue's samples can:* Annoy you with a very noisy bear who refuses to be quiet* Bring a browser to a grinding halt* Make a browser start "barking" and then exit* Attack a workstation with big windows, wasteful calculations, and more noise, effectively keeping users from controlling their own computers* Pop up an untrusted applet window minus the warning and ask for a login and password* Forge electronic mail* Obtain a user name and passwordAnother set of mischievous JavaScripts can be found at the tongue-planted-firmly-in-cheek site of Digicrime, Inc. (http://www.digicrime.com), home of the "Internet Shoplifting Network" and sundry other spoofs of electronic life in the '90s. Put together by computer security professionals, the pages warn users away from certain links and pull no punches with the overcurious -- yes, this page can crash a user's system almost instantly.The Java skeptics are locking arms and standing in the path of a commercial tidal wave: the growth of the Internet demanded new programming tools, experts say, and Java was in the right place at the right time. Netscape has hitched its star to Java, forcing Microsoft to do the same. In fact, Java functionality will be embedded in the operating systems of most new computers by next year.Is it safe? Sun and Netscape seem to be convinced that they can fix any problems on the fly. Lisa Poulson, spokesperson for the Sun-division JavaSoft, said the company is preparing a response to the Hostile Applets home page. Most of the issues raised in the OBC report, she said, have been or are currently being addressed by Sun.Last Thursday, Sun announced that a patch would soon be available for a Java bug found in March by three Princeton scientists. Sun said one of the reasons it published the source code for the Java language on the Web was to encourage computer users to look for flaws, which was what the Princeton team set out to do. But the Princeton team said the flaw they found was the latest of three separate Java security flaws they had uncovered. The trio plans to publish the results of their tests at the end of this month.Scott McNealy, Sun's chief executive officer, said the company takes any security issue seriously."We'll make mistakes and application vendors will make mistakes. We'll have to correct them," he said to the media after a new Internet product introduction in New York.Security issues with both Java and JavaScript can and will be resolved, Sun and Netscape officials say, by the best and the brightest engineers, who are flocking to work at the cutting edge of Internet technology, and the millions who are cruising the 'Net have nothing to worry about.Unless they're Mark LaDue."There's not a quick fix here," he commented. "The problem is that my hostile applets play by the official rules. They don't depend upon flaws in the implementation and they don't exploit weakness in other programs. Consequently, any problems that they create are not going to disappear without fundamental changes in the language."Until that happens, people who view applets will have to assess the risks and act accordingly."Or, as the folks at Digicrime say regarding Java and JavaScript: "Be Afraid. Be Very Afraid."

Enjoy this piece?

… then let us make a small request. AlterNet’s journalists work tirelessly to counter the traditional corporate media narrative. We’re here seven days a week, 365 days a year. And we’re proud to say that we’ve been bringing you the real, unfiltered news for 20 years—longer than any other progressive news site on the Internet.

It’s through the generosity of our supporters that we’re able to share with you all the underreported news you need to know. Independent journalism is increasingly imperiled; ads alone can’t pay our bills. AlterNet counts on readers like you to support our coverage. Did you enjoy content from David Cay Johnston, Common Dreams, Raw Story and Robert Reich? Opinion from Salon and Jim Hightower? Analysis by The Conversation? Then join the hundreds of readers who have supported AlterNet this year.

Every reader contribution, whatever the amount, makes a tremendous difference. Help ensure AlterNet remains independent long into the future. Support progressive journalism with a one-time contribution to AlterNet, or click here to become a subscriber. Thank you. Click here to donate by check.

DonateDonate by credit card

Close

Thanks for your support!

Did you enjoy AlterNet this year? Join us! We're offering AlterNet ad-free for 15% off - just $2 per week. From now until March 15th.