ML> BC>A Java applet, that lands on your machine, does NOT have the ability
ML> >to read your disk drive, let alone write to your drive. A bug free
ML> >Java Virtual Machine, running on your machine, will not allow the
ML> >downloaded applet code to do any reading or writing to your drive(s).
Thanks for the reply Murray......
ML> If you believe that, you are a prime prospect to buy the Brooklyn
ML> Bridge :-).
Well, I am looking at some homestead land in Central Park,
but if the price is right, I can invision a nice bridge for
da family. 8-). I am still standing by my statements...
that is, until I read that book that you quoted. But if
that book is saying that a Java applet can "diddle" my
system due to a missing features or bugs in the Virtual
Machine then my point is valid. Which is a Java applet
(not a Java application, but an applet) can not INHERENTLY
(like a piece of C code can INHERENTLY) diddle my system.
ML>Among the other problems with the overly
ML> hyped Java Security system: the enforcement responsibility
ML> is divided between the group that wrote the javac
ML> compiler, the group that wrote the "virtual machine"
ML> software for your particular hardware, and the group that
ML> wrote the Java-enabled Browser. The primary onus for
ML> safety is on the browser writer!
You mean that my Netscape/2 browser ,and not the VM, is
preventing a Java applet from writing to my drive? .
OK, I guess this is where I get to buy that bridge...but before I do, I sure
would
like to see some of that "malicious" applet code that
"anyone" can write. ML> Only "hostile" Applets can diddle with your data,
and the people who
ML> write Java-enabled browsers work overtime to plug the
ML> holes in the Java security system every time a new hole is
ML> discovered. But anyone can write "malicious" Applets
ML> (there is nothing in the rules to prevent them!) that will
ML> take over all the resources of your system.
I agree that you can put statements into a Java applet
that could overwrite my rootdirectory with say GIFs of
Smurfs. But my question is, will my IBM written Virtual
Machine allow it to happen without first asking my
permission?
The book "Client/Server Programming with Java and CORBA"
ISBN 0-471-16351-1 page 33 lists the 5 "Java Defense System"
checks for downloaded applets. If the virtual machine
follows these "rules" then I am at a loss as to how my machine
is vulnerable. I would like to further say.. that the goof
who wrote and launched a "malicious" applet, made it
"malicious", because he was able to exploit a particular
"hole" in a particular version of a particular JVM. I would
think this would entail some very detailed cracking of that
JVM AND the applet had better land on that particular JVM in
order to reign destruction. Does the book you quoted reaffirm
my statement, or am I completely missing something? To prove
that "anyone" can write a malicious applet can someone please
send me one or point me to somewhere on the Web where I can
download one (I'll take my chances on blowing out my system).
Source code would be nice. I have heard of downloads from
the Web for malicious ActiveX components. So if there are
rogue applets being made there should be web sites that are
are demonstrating them. ML>See the book JAVA SECURITY (ISBN 0-471-17842X)
for a description of
ML> "hostile" and "malicious" Applets.
Thanks for the reference to the book, Murray......I am going
to get a copy. Can anyone direct me to any newsgroups that
are following these happenings?
ML>As that book points
ML> out, the only protection against dangerous Java Applets is
ML> to never link to an "insecure" web site with a
ML> Java-enabled browser. For all practical
ML> purposes, the definition of a "secure" web site is one
ML> for which you can personally vouch for the integrity of
ML> its owner.
From what you have written I would say that the jest of the
book is that the implementors of the VMs are not doing their
jobs in implementing the Java specs. If that is the only
security flaw then I will live with it. If not, please pass
the other flaw(s) on. Thanks
TTFN Bill
Internet address: wchriste@sk.sympatico.ca
___
X KWQ/2 1.2i X You can tell a real programmer by the keyboard dents in his
foreh
--- Maximus/2 2.02
---------------
* Origin: OS/2 Shareware BBS, telnet://bbs.os2bbs.com (1:109/347)
|