MokaByte
Numero 04 - Gennaio 1997
|
|||
|
|
||
J.P. Thiel |
b | ||
Security Vulnerabilities Created by Java Applets Java Applets are Java programs that can be loaded automatically onto your computer and run by clicking an icon when you use a Java-based application. Web icon selections that run Applets look like any other browser selection, so you cannot tell whether you are running an Applet or not. Java must be enabled on your Web browser in order to run these Applets at all. Java Applets are a security vulnerability when used in conjunction with Netscape Web browsers of version 2.01 and earlier. Netscape Beta versions are secure only when using version 6 or greater.
Using Netscape to access a Web Site and selection of a hostile Java Applet program causes the Applet to be run on theuser's machine. The user may be told the Applet will do something in particular, when the actual function is something totally different.
Some
documented attacks involve these concepts:
Browser
Side ( Denial of service attack. In one displayed attack, control of the
user's screen was taken. The Applet painted large black windows on the
screen so that access to other parts of the screen was impossible. A fake
name/password box was displayed in an attempt to gain id and password informati
on.
Freeze
your browser by consuming all available resources.
Introduction
of a Trojan Horse. A Trojan is a program which masquerades as one thing,
but additionally hides a program of another function.
Introduction
of viruses to the user machine.
Collection
of information on you, your computer, or any private information to a destination
where they store it.
Re-direction
of your access requests through your attacker. All your requests for service
or information are sent to the attacker.
Consume
your bandwidth with huge downloads of information. Attacks are less likely
to occur on the server side but some have been reported in 50 Ways to Attack
Your World Wide Web Site, by Dr. Frederick Cohen in the December, 1995,
issue of Computer Security Alert. Server Side
Crash Web services.
Overrun input buffers places arbitrary characters into the executable code
of the server.
Corrupt
server information.
Open
up an unlimited set of IP services which operate within TCP port 80.
Set
up the attacked server as a springboard for future attacks. These attacks
can be toward external hosts or inward toward internal hosts.
Obtain
password files, destroy audit records, change access lists.
Crash
the server.
Re-write
a home page as the attacker wants it to read.
Intercept
system use logs and private encryption keys.
What
you can do to avoid these problems
Avoid
using Netscape versions 2.01 and prior, and Beta versions 5 and earlier.
If you are designing a network with access to the Internet, investigate
, purchase and install a firewall.
A
firewall can help mediate your communications to the Internet.
Avoid
or be careful with known hostile Web sites which may or may not declare
themselves. Two of the known sites which have known denial of service Applets
are:
http://www.math.gatech.edu/~mladue/HostileApplets.html
http://whenever.cs.berkeley.edu/graffiti
A collection
of hostileapplets can also be found on the "Hostile Applets Home Page".
Another source is DigiCrime. On these pages, there are many examples of
browser attacks too numerous to list here.
Avoid
known hacker sites. Many of these sites are unpredictable, information
may be sought about users visiting the sites.
If
you can avoid using Java Applets, do so. Turn off the Java enabled switch
on your browser.
Enhancements
and Fixes A comprehensive list of Java bugs and hostile applets as well
as their associated fixes and patches can be found at the Sun JavaSoft
page at http://www.sun.com search under
Frequently Asked Questions - Applet Security.
Another good
source of information is http://www.cs.princeton.edu
. Princeton has been at the forefront of discovering problems with
Java applets, and running tests in their labs, and coming up with fixes
and patches. Princeton has been involved in a six month long Java evaluation
project. Their first bug was a security loophole involving the Domain Naming
System and Java, which was fixed with the release of Java 1.0.1. Princeton
researchers have also simulated attacks such as a loophole in the bytecode
verifier that enables a hostile applet to penetrate the security parameters
of Java and attack a user's local system files when the applet is downloaded
over the Internet. The Princeton researchers simulated the attack by creating
an applet that after it was downloaded it generated machine code on a Silicon
Graphics workstation and deleted a system call.
Digital
Signatures and Encryption Sun has been working on class libraries that
enable Java applet developers to integrate support for digital signatures
as a way of further securing the technology. They support digital signatures
not only for certifying an applet's origin, but also as a way of managing
the applets. A great deal of work is being done in this area. The company
Applix uses Security APIs to verify user identities so that its spreadsheet
grants users access to the appropriate level of company proprietary data.
A mechanism with a user ID and password is in place now. The cryptography
part of the Security APIs will allow Applix to use digital keys and signatures,
allowing customers to feel more secure. The cryptography API includes digital
signatures, encryption, and authentication. The Security API set was designed
in a layered approach so cryptography experts could write security packages
to build on the Security API. Related APIs include Commerce which allow
customers to make secure purchases over the WWW, according to JavaSoft.
Payment processing and a shopping cart function are among the functions.
J.P. Thiel is a Computer Security Analyst with a large aerospace company. His background is in Communications, System Security Administration, and Computer Security. He enjoys backpacking in the Sierra Nevada mountains and is an avid NFL (National Football League) Dallas Cowboys fan.
|
||
|
||
MokaByte ricerca
nuovi collaboratori
|
||
|