JAVA THREAT

The use of Java and Javascript in HTML pages is constantly on the rise due to the increasing number of computer savvy web developers. While firewalls may help to keep the potential hacker at bay, they do not always block the use of Java applets or Javascript in a web page. As a result of this breach of security, Java and Javascript can be potentially harmful to your systems.

While Java seems to run on just about any browser, not all versions of browsers will support Javascript. However, both have the ability to cause major harm to an unprepared site. Even worse, the site or host is vulnerable even if the browser is behind the firewall and the document is a "secure" HTTPS-based document. Javascript programs are executed within the security context of the page in which they were downloaded, and have restricted access to other resources within the browser. Some browsers running Javascript may, in turn, have security flaws that allow the Javascript program to monitor a user's browser more than what is considered safe or secure. In addition, it may be difficult or impossible for the browser user to determine if the program is transmitting information back to the web server. For instance, among other functions, Javascript is able to monitor a user's browser activity by:

• Observing the URLs of visited documents
• Observing the data filled into HTML forms (including passwords)
• Observing the values of cookies [Cookies are a general mechanism which server side connections (such as CGI scripts) can use to both store and retrieve information on the client side of the connection.]

The best way to protect your system from the potential harm of Javascript is to obtain a patch from your browser vendor or upgrade to a version of the browser that is not vulnerable to this problem. If this cannot be done for whatever reason, the next best solution is to disable Javascript until a patch can be obtained.

To download a patch for Microsoft Internet Explorer 3.* and 4.*, follow this link:

http://www.microsoft.com/windows/ie/security/default.asp

For Netscape Navigator/Communicator Versions 2.* , 3.*, and 4.*, go to the following:

http://home.netscape.com/products/security/index.html

In Java the user may or may not be informed that an applet (an executable Java program embedded in a Webpage) is being downloaded into their browser. The real shock comes when a user inadvertantly downloads a hostile applet (an applet which provides an attack against a user's system). There are many different things hostile applets can do to wreak havoc on your system. Among a few of the most noteworthy are the following:

• Reveal information about your machine (ie. Details about passwords or structure of your system)
• Allocate resources (memory capacity) to the point your machine "locks up" [also known as "denial of service attack"]
• Delete or alter files
• Be just plain annoying

Hostile applets have also been known to have the capability to contact machines behind firewalls, send off a listing of a user's directories, track a user's actions through the web, generate machine code, make directories readable and writeable, and send off email without intention.

The best way to protect yourself against these applets is to disable Java and Javascript in your browser unless your visiting a trusted Site with known Java or javascripts running. For more information on Black Widows, hostile applets, Java, and Javascript security, visit the following sites:

http://www.math.psu.edu/sibley/java.html

http://www.rstcorp.com/hostile-applets/index.html

http://java.sun.com/sfaq/

http://www.osf.org/~loverso/javascript/

This document obtained from infosec. no author mentioned.