Slashdot Mirror
Java Security Hole Makes Netscape Into Web Server
Baldrson and other folks as well write: "Dan Brumleve is at it again with Brown Orifice. In this episode, our fearless grey hat opens a security hole in the Web's foundation that makes Napster look positively tame by comparison. Be careful with this, kids. It turns your Netscape Web browser into a Web server that can serve up your entire file system to any other Web browser."
He saw KPCB's investment in Netscape going down the shitter and orchestrated the purchased through the leverage his firm had with AOL, another KPCB-sponsored firm.
This happens all the time - how the hell do you think a retarded merger like Excite/AtHome ever got off the ground???
Not a troll... just a statement of my observations... I resisted switching to IE for a few years, but I got fed up with all the countless bugs and resource/memory leaks (which were NEVER fixed, even after I properly reported reproducable bugs).
Now this. Netscape's browser was merely a platform to sell Netscape's server software. They only complained about IE when M$ started giving away IIS with NT - and then got really loud when IE surpassed Communicator in features and support (that's right... M$ might have had a few security leaks to fix, but they usually responded swiftly). Netscape often gets a lot less scrutiny compared to M$' browser, too, I might add.
Netscape sucks. A one hit wonder that now ranks below M$ and others in browser and server software.
The web server exploit does not rely on Netscape-specific classes. There are two exploits.
Seastead this.
The Mongrel Dogs Who Teach
2. Make said email client be able to access multiple accounts from the same instance of the client.
This is exactly what Mozilla is doing - you should try M17 which is about to come out in a couple of days.
How well do these stand up under load, and should /. replace Apache? :)
Seriously, I think the biggest issue will be a non-interactive thing that can be emailed to anyone, instead of this consent-to-opening-form thing. Because netscape is only open for a short time, a real proper exploit would have to make an outbound connection to a preset IP to "check-in" that it's available.
--
In point of fact, something of this nature has occured as previously documented by Dan. It may not be Christian for Dan to fail to endlessly forgive transgressions and abuses of his trust, but then I thought business was about reciprocal altruism, not simply continuing to do favors for those who demonstrate a track record of abusing your trust.
If the force of law is to apply here, would it not make sense to prosecute the responsible parties at CERT, or wherever, if they abuse the professional courtesy extended them by people from around the world (not just in the United States) since, having been granted a unique position of public trust and authority, the abuse of said public trust and authority (for example, failing to respond as their name "emergency response" would suggest) subjects the global public to far greater dangers than a "premature" disclosure by one grey hat?
The grey hats of the world do not exist for the convenience of flabby and possibly corrupt bureaucrats -- nor should the web users of the world have to wait for the flabby and possibly corrupt bureaucrats to possibly notify their corrupt cronies of exploits so that maximum criminal profits may be extracted, whether through plagerism or direct criminal activity.
Oh, but there I go being paranoid about the government again. ;-)
Seastead this.
Every day I raise up thanks for ipchains(8):
ipchains -A input -l -y -j REJECT
Quick responses to a bunch of people, in no particular order:
plunge (cosym@yahoo.com) wrote:
> That's them creating the most important incentive for the
> future of all: the incentive to try to actually produce
> something superior to everything else. Sorry, but that's
> what counts in the end, and that's where things will end
> up when all is said and done.
gargle wrote:
> You're damn right. I'm voting with every click - voting in
> support of a superior product.
Denial of Service wrote:
> I hope you enjoy playing politician while the vast majority
> make choices based upon quality of product.
(1) A lot of techies don't like to believe this, but you are
essentially stuck living in a political world. You're
deluding yourself if you think you can live your life making
"technical" decisions without any political aspect.
(2) Luckily for my side this particular voting process has
proportional representation built-in, so I don't need "the
vast majority". No sane business throws away even 10% of
it's potential market if it can avoid it, so a 90-10 split
between Microsoft and everyone else still leaves room for
standards to win out. At some point -- somewhere above 95%
market share is my guess -- there will be no practical
argument left to shoot down a designer that's itchy to play
with some new toy MS put in the latest IE, and there will be
no pressure left towards standards compliance.
(3) Netscape has far from a perfect record about standards
compliance, but it doesn't matter for this argument, since
I'm not telling you to use Netscape. Lynx, opera, mozilla,
xemacs, whatever. The point is to discourage reliance on
any one single company's proprietary technology (e.g. a
site based on macromedia flash isn't any better than an
IE-only site).
(4) It would be nice to believe that everything boils down
to simple free-market economics, but I've (reluctantly)
become convinced that in the real world, there is no single
simple set of principles that applies universally.
In this particular case, I'm arguing that your conception of
"a quality product" is shallow and short-sighted. When you
buy into a technology, you're getting more than a product,
you're also looking for "services", which means you have to
look to the future and think about everyone's long-term
incentives (as well as look to the past, and think about the
history of the groups involved). In this case, I'm arguing
that the future upgrades you're going to recieve, and the
kind of web you're going to have to deal with will be
compromised by what you're buying into in the present.
Beware of Microsoft bearing gifts. What's hard to
understand about this?
I'm guessing it effects Communicator completely in General... and does this mean it's resident in Mozilla too?
Who's the black private dick, who's a sex machine for all the chicks?
Granted, the brown office server source code could be modified to make all of the files on your computer publically accessable but the "bug" can be potentially useful as well. Well, obviously, it can be a free webserver and ftp server while taking up little more space than netscape itself. I wonder how many other bloatware applications can be exploited to do productive things? Or, how many other uses are there for Netscape? How many different language interpreters does it have? Java, Javascript, HTML, soon XML... Add to that its ability to use plugins, its ability to generate user intefaces on the fly, its internet connectivity, and you have a very rich set of resources to hack into other applications. Still, this is a bug and it can be exploited...
?/o
- Each bookmark is stored as a separate file. This means that I cannot have a bookmark with a colon in it, and I cannot manage them easily -- no sorting, no nice tree dialog like in Netscape. Opera is somewhat better in this area, but I still like Netscape's approach the most.
- Virtually no control over cookies. Accept, deny, confirm. That's about it. At least Netscape lets me deny cookies from another server.
- The history interface sucks. Again, every item is stored as a separate file. There is virtually no provision for sorting. Netscape rules this area.
- Crappy Find dialog. No "Find Next" command without first opening the Find dialog and keeping it open. F3 illogically opens the search-for-files dialog. So much for browser and file manager integration...
Hmm... I've been meaning to put this into some kind of comparison table for a while. Maybe this will get me started.--
Jeesh, I just went through the trouble to install 4.74; pesky executable jpegs. Boy, this makes me want IE through wine, even though I know ceding the browser market to Microsoft will result in ceding the server market.
Somewhere people are betting over which finishes first: Mozilla 1.0 release, or wine progressing well enough to run IE reliably.
Shit! This is not the sort of gamble any serious Freenix or UNIX user would want to take....
I still prefer Netscape to IE: with IE, the lack of security is designed in from the ground up (ActiveX etc.). Netscape at least is based on technologies that can be made secure.
For the time being, you just have to turn off Java and JavaScript.
It might also be worth looking at other ways of removing privileges from a running Netscape. Linux chroot, capabilities, various group hacks, LD_PRELOAD, and ptrace, could all be used to detect and prevent undesirable behavior.
great! i'll email my boss to tell them we dont need that fancy shmansy netscape webserver anymore! it's bundled with communicator
and you people mocked netscape. shows you all.
and i guess with mozilla, they'll be able to completely take over my computer, seeing how it will be an entire platform for doing everything...
shaolin punk, activist post-industrial
Perhaps the reason AOL doesn't care about Netscape is because Netscape sucks. Hard. It's difficult to convince people to use your service when the browser you offer them sucks. Hard.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Sorry, but that is incredibly short-sighted. I'm an anti-Microsoft fundamentalist. I don't have any Microsoft products on my machine. But I have to admit that at this moment IE is a better, more stable, more standards-compliant, easier to use browser than anything we've currently got on Linux (except possibly Konqueror, which I hope to try soon). Mozilla M16 is almost as good, but not nearly stable enough.
It's a bad mistake when you're so blinded by your dislike of the opposition that you can't recognise where they actually are doing better stuff than we are.
I'm old enough to remember when discussions on Slashdot were well informed.
He described this as a behavior of the netscape provided classes. Again, this is likely a case of trusted classes being too helpfull, not of a total jvm sandbox model breakdown. Is the netscape JVM source available?
If its any consolation,
Typical java apps tend to have memory leaks or otherwise cause eventual reboots of the os when used with IE.
MS makes great software. If you want a share of the marketplace, then compete by producing better software. Stop whining. In the end, consumers benefit from competition. Expecting consumers to choose your inferior product over a superior product to make some kind of political statement is lame and repulsive.
Case in point: The Mozilla project. If it were not for Microsoft, Netscape would have continued sitting on its ass, churning the 4.x line, and releasing noteworthy enhancements like the "shopping button".
By choosing to use IE, I am placing pressure on the Mozilla team to product a better product on time. Browser statistics send a very clear message - they know that they cannot rely on any sense of charity from the marketplace. Compete, deliver, or die.
MS is a monopoly, and IE is a tool used illegally to further its monopoly. True, but this can be dealt with by anti-trust law. Requiring consumers to choose an inferior product to spite MS is like cutting off the nose to spite the face.
gargle wrote:
> MS makes great software.
Microsoft repeatedly turns out mediocre, buggy products that
get kind-of useable by the third version.
> If you want a share of the
> marketplace, then compete by producing better
> software.
Where have you been? If better software was all it took,
Borland would be the giant of the software industry.
> Stop whining.
No, you can't make me!
> In the end, consumers benefit from competition.
(Which end?)
> Expecting consumers to choose your
> inferior product over a superior product to make some
> kind of political statement is lame and repulsive.
(a) They're not my products.
(b) There are many instances where refusing to respect a
boycott is what's really lame and repulsive. ("I always
buy from the Gap, they make great clothes for a great price!
Oh... they're manufactured by asian women conned into
indetured servitude in Saipan by being told they're getting
jobs in the US? Don't bother me with that politcal crap!")
> Case in point: The Mozilla project. If it were not for
> Microsoft, Netscape would have continued sitting on its
> ass, churning the 4.x line, and releasing noteworthy
> enhancements like the "shopping button".
Right, multiple competing companies are better than just one
defacto-monopoly. A Netscape-dominated web could easily
have become a mess of BLINK tags.
> Compete, deliver, or die.
Extend, embrace, extinguish.
> MS is a monopoly, and IE is a tool used illegally to
> further its monopoly. True, but this can be dealt with by
> anti-trust law.
Have you been paying any attention at all? This isn't
being dealt with by anti-trust law... the government is
busy trying to fight Standard Oil all over again.
In any case, my contention is that consumer boycotts are
more effective in many cases than waiting for government
action. Boycotts work faster and are more reliable,
because of the "proportional representation" effect I
mentioned earlier.
> Requiring consumers to choose an inferior
> product to spite MS is like cutting off the nose to spite
> the face.
I think this is incredibly melodramatic. The "inferior"
products just aren't that inferior (and some of them may not
be inferior at all... if Opera were out for Linux I might
give it a try, and Mozilla is certainly getting there).
Anyway, I have no problems with rewarding the best.
Aren't you arguing for rewarding the worst?
the enlightening method, from ServerSocket is:
t HostAddress(),
protected final void implAccept(Socket s)
throws IOException {
try {
s.impl.address = new InetAddress();
s.impl.fd = new FileDescriptor();
impl.accept(s.impl);
SecurityManager security =
System.getSecurityManager();
if (security != null) {
security.checkAccept(s.impl.getInetAddress().ge
s.impl.getPort());
}
} catch (IOException e) {
s.impl.close();
throw e;
} catch (SecurityException e) {
s.impl.close();
throw e;
}
}
Basically, you can't easily not do the open, because you need to get the port and host address from the impl attribute of the socket - after telling it to open. I think that a more sound approach would be to make impl flexible enough to do it's dns setup without actually opening.
Anyway though, the upshot is that the current approach requires that we trust the close method on impl. Looking back through the initializers which create impl, I think this is safe, but hard to prove safe. My guess is that the earlier JVM classes did this incorrectly - they trusted s.close instead of s.impl.close. Which is bad; we don't know where s has been.
Well, I enabled java and javascript to try it out (I usually think running programs in a browser just to look at articles is silly) and it was blocked. Anyone else running junkbuster find this relief?
I don't use Windows enough to know if "IE" is better. I have used windows enough to know that Linux is better, and while Netscape is far from perfect, it works well enough on both platforms that I don't understand why anyone would take the trouble to complain (like, yeah, it will crash after a few days of uptime, and yeah, that's mildly annoying, but so what? Generally, any tasks I do with the browser are completed in less than an hour -- and if I want to read a long essay or something, lynx is fine.)
Anyway, there's a really good reason why you shouldn't use "Internet Explorer", no matter how absolutively wounderful it is: you're voting with every mouseclick, leaving trails in the logs of every website you visit, getting us all a little closer to a Microsoft dominated world. When IE on Windows shows up at 95% plus, every dweeb of a web designer is going to insist that there's no point in sticking to any "standards" but Microsoft's.
So, you don't like Netscape, that's fine, go out and find a copy of Opera or something. If you use Internet Explorer, you're being incredibly short-sighted, and you deserve the world you're going to get.
You need to read Risks if you:
- Use and depend on computers in any but the most trivial way
- Program computers
- Make policy decisions regarding computers
- Operate computers in a way that affects safety (pilot a modern airplane, work in a hospital)
- Use computers in a way that may impact your own safety (flown on a modern airplane lately?)
I think that probably covers most Slashdot readers, which is why I keep posting it here.You might also want to check out the book "Computer Related Risks" by forum moderator Peter G. Neumann ISBN 020155805X. It draws on material from the forum but discusses it in greater depth. You'll find it at all the online bookstores and many local bookstores as well.
Here's a few of my own posts to Risks:
I also recommend that everyone refer regularly to the CERT Coordination Center to read the latest in security advisories and report security problems to them when you find them.-- Could you use my software consulting serv
Here's another warez and pr0n site:
warez.slashdot.org
enjoy!
I'm absolutely sick to detah of people saying somethign doesn't affect affect them as long as they're not running `insert vulnerable app here' as root. So it might not be able to take out your machine...but what do you have in your home directory? Of your a Linux desktop user, and use if for wordprocessing, it may well just be a copy of your theses, to which you'd naturally have read and write permission. This is pretty [almost uniquitously] common situation for home users. Lulling people into a flase sense of security is unethical.
It seems more stable on Windows, but, as we all know, IE loads a lot faster and, IMHO, IE just renders the HTML into a nicer-looking document.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Yep, you could. You can not only read/write anywhere, you can also reformat...
While the whole At Ease concept is outdated there are alot of institutions keeping it because they have old hardware and cannot go to OS 9 or they have incapable sysadmins. Especially in K-12 schools.
Users will always install and run insecure apps. As sysadmin, it's my job to keep the company LAN safe regardless. Well, despite this article, it looks like I'll be sleeping soundly tonight.
Firewalls should be for everyone. Anyone who connects their PC (regardless of what OS it runs) directly to the internet is just a damned fool that deserves what they get. Just remember, "if it connects to the net, it runs firewall SW and nothing else." Put the browsers and napsters and toys behind the firewall.
If that sort fo stuff crashes the JVM, then its Well stuffed. Get a different one. Array out of bounds errors should throw an exception, and Java initialises *all* data to defaults (though for objects, this is nil, which will cause exceptions to be thrown).
Unless you use JNI, or some other kind of native code, a correctly written VM should never crash (though of course, it might *stop*).
It's a hole alright, but a *Netscape* hole, not a Java hole. It's a faulty and buggy implementation, that's all. No need to blame Java for it.
Oh great, another "IE is better than Netscape" dude. This is "Insightful"? I don't use Windows enough to know if "IE" is better
Then shut your pie hole. Because if you DID use IE for more than 15 mins you'd see the point.
I too was a 'Netscape only' person from version 1 to version 4.72. Netscape simply has becoming worse and worse while IE has become better and better (well, maybe not 5.5 but 5.01 is solid).
There comes a time when getting your work done is more important than supporting some ideal that obviously isn't shared by the actual developers.
That time for me was June 2000. Goodbye Netscape and good riddance.
On a vaguely on-topic note, I run Zone Alarm on my Windows laptop, and I just test this. Zone Alarm halts it immediately, and it's free for individual use. When I tried to contact my "Netscape Server" after I exploited my box, a window popped up asking if I wanted to allow Netscape to run as a server. I said no, and the connection failed.
If you're behind a NAT firewall like Linux's IP Masquerade, this doesn't pose a problem. The server-side CGI which sends parameters to the Java applet sets the address of your NAT gateway- which, of course, is not the address of the system running Netscape Navigator.
I do alot of client-side javascript programming for both IE and NetScape. I've always found IE to be MUCH easier and powerful with respect to its implementation of the DOM and what I can do with it. Now I find it is actually more secure too. Why am I using Netscape again? Maybe I don't have any good reasons left.
This is a Java applet, not a Javascript exploit. The fact is that just about any client side scripting has to be implemented perfectly to avoid security problems. This being an imperfect world, I browse with Java and Javascript OFF.
Have you been paying any attention at all? This isn't being dealt with by anti-trust law...
Decreased revenues due to open source competition can't be the only thing driving down Microsoft's stock price. It's about 50% off its high before the antitrust rulings.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
please include an alternate method of running untrusted software on your local computer!
http://vrml3d.com/open/#name5
This is only a very small beginning. We need much more work in this area. We need small, fast, secure VMs that can run *any* language on *any* machine. EiC comes close to meeting the any machine part, but not the any language part.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
-- Could you use my software consulting serv
government software, as it is the taxpayer that owns it. So I believe you could resell it if you wanted to in your own package. I think it is alot like those "army survival manuals" that you see reprinted when you walk into Barnes and Noble. Also, patents granted to government agencies/employees are public domain (they are quite a few) and you can make/use them for profit. Government funded IP belongs to the people (This does not go for grants given to a company to develop technology however - it's whoever controls the patent/copyright)
I know it's offtopic - only to try to clarify a point thats been posted.
I'm running behind a NAT based system. I downloaded the browser. It kept insisting on going to my external IP address instead of the IP I actually pointed it at.
Further, all I saw was "Permission denied" on any place I tried to read.
So - my first question - how did the browser know what my REAL IP was behind the NAT box? Did they configure it into the browser before I down-loaded it? Further, are they recording said IP's for later exploits????
I'd guess if you are behind a firewall or NAT box that won't do them much good....which is a "good thing."
Anyway - maybe one should think twice before downloading and trying this "exploit."
My
Have you compiled your kernel today??
Doesn't work for me - nmap doesn't see it, I can't get any response from telnet or via another browser session on the same subnet or over the internet.
in fact, none of the links work.
Am I doing something wrong?
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
Obviously non-sandboxed scripting languages like Javascript and ActiveX are a different kind of risk, and simply can't be trusted.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The MS Word crack I stumbled upon I found was even worse; search for a file, and you can get read access to files in the same directory [which is supposedly secure] with an open menu dialogue. You can even open the passwd file from a remote At Ease server volume!! Though its a bin file, parts of it are readable.
However I think they cleared this up in the current version of At Ease.
I kind of like the sort of world where the incentive is to make the best product, thanks.
If Microsoft attained their standing and wide-spread domination via anti-competative means, fine, but you can't blame consumers for using what they like best. That's them creating the most important incentive for the future of all: the incentive to try to actually produce something superior to everything else. Sorry, but that's what counts in the end, and that's where things will end up when all is said and done.
Mindcraft unleashes its latest web server benchmarks pitting IIS against Netscape Navigator...
Say what you will about M$/IE, but if a bug like this gets reported for Internet Exploder, you can bet your ass they'll post at least a notification (if not a workaround or patch) on their site faster than you can say "class action lawsuit."
Netscape? Netscape.com is too busy telling me about the new cute chick flick "Coyote Ugly" and checking my stocks. I'm one click away from the "Security" section of Microsoft.com. On Netscape.com, I am one click away from sports scores.
I used to be a really big fan of Netscape, but they just keep screwing up. I swear, I want to like them...
======================================
======================================
Writers get in shape by pumping irony.
No, /etc/services does not disable any traffic over a particular port. The most it will do is prevent the getservbyname(3) family of function calls from working. /etc/services is just a file that translates between names and numbers. Nothing else is magic about it at all. Are you just trolling for newbies or what?
I ran the applet, and my portsentry has caught 9 people in less than 20 minutes trying to connect to my 'puter. Just a heads up to those other curious people out there.
Portsentry Log
965533382 - 08/05/2000 23:43:02 Host: ppp-121.tnt-1.ind.smartworld.net/64.71.16.121 Port: 8080 TCP Blocked
965533409 - 08/05/2000 23:43:29 Host: c1102499-a.mntp1.il.home.com/24.22.238.125 Port: 8080 TCP Blocked
965533665 - 08/05/2000 23:47:45 Host: cx1009234-b.lbbck1.tx.home.com/24.15.153.5 Port: 8080 TCP Blocked
965533766 - 08/05/2000 23:49:26 Host: bluewhale-ext.nus.edu.sg/137.132.2.110 Port: 8080 TCP Blocked
965533960 - 08/05/2000 23:52:40 Host: adsl-151-203-192-148.bellatlantic.net/151.203.192
965534057 - 08/05/2000 23:54:17 Host: dialupB214.dlth.uswest.net/207.109.199.214 Port: 8080 TCP Blocked
965534280 - 08/05/2000 23:58:00 Host: dsl-209-162-218-233.easystreet.com/209.162.218.23
965534282 - 08/05/2000 23:58:02 Host: Station06.DSFM.MB.Ca/204.112.25.16 Port: 8080 TCP Blocked
965534422 - 08/06/2000 00:00:22 Host: koyk-u5.cisco.com/171.69.66.107 Port: 8080 TCP Blocked
It is only a matter of time before the MS marketing people will find a way to leverage the constant finding/fixing issues in MS products versus the lack of any searching for holes in Open Source products.
So are you a troll, or just ignorant?
Last time I checked Bugtraq there were a whole bunch of people searching through all sorts of open source software for holes, and reporting them.
Last time I looked at www.openbsd.org, it had done a thourough review of any potential security holes in their open source operating system.
And last time I checked, neither the Netscape 4.x browser nor its Java component were Open Source.
Steven E. Ehrbar
I think I'll just stick to Lynx.
"On the Internet, everyone is an equal until they prove themselves to be a moron." - Emmanuel Goldstein
They seem to work incorrectly if you're behind a firewall, since the script picks up the IP of the firewall rather than of your machine, and so the server redirects you incorrectly if you do manage to get it to answer.
I haven't had time yet to determine how it behaves if I manually "configure" it, and I don't care to run it at all on my firewall. (I'm curious, not st00pid.)
--Joe--
Program Intellivision!
Having security built in at method level, with code like this:
public void somemethod(){
if (evil_attacker) throw new SecurityException();
do_sth_useful();
}
won't get you too far, if the attacker has access to source code, and overloads the method with a version without security checks. Since Java applets can extend java.* classes and the code for them comes with the latest JDK, it was just a matter of time until someone figured this out, and created an exploit.
The easy solution is not to allow unknown code (applets) to replace (overload) system library code. Let applets only extend java.lang.Object or other classes from an Applet, and you're done.
ditto. Java is designed so that even if you're program is poorly written, unless it's pathalogical, it won't crash or have any effect. Things that will have an effect are something like creating tons of objects just to try to run out of memory, or deadlocking due to poor threading code.
It's 10 PM. Do you know if you're un-American?
But Brumleve describes another problem with BOURLConnection and BOURLInputStream that allows the applet to read local files. Can someone help us with that one also?
Cheers,
--Neal
--Neal
Go IETF!
Has anybody checked which Netscape versions are susceptible? (or for that matter IE versions?)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I am an IE fan, by all means, and this looks way worse then what small security holes IE has. Now you wonder, what were the programers thinking? Was it a true mistake??? OR was it purposeful? IT makes you wonder :)
I have to disagree. Java itself is not the problem. This summer I have been doing a lot of Java development on Linux, and not once has Java crashed on me unless I wrote some bad code. The problem is netscape. The reason java crashes in your web browser has a lot more to do with the browser than the JVM.
bash-2.04$
bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME
Wow! I found shitloads of pr0n and warez on that first one! Hey thanks!
And when AOL bout Netscape, they were essentially buying Netscape.com 's traffic. They could give a crap about Navigator and the server software...
--
Chaosnetwork
OliverWillis.Com
An Operative with an Agenda
Anyway, there's a really good reason why you shouldn't use "Internet Explorer", no matter how absolutively wounderful it is: you're voting with every mouseclick, leaving trails in the logs of every website you visit, getting us all a little closer to a Microsoft dominated world.
You're damn right. I'm voting with every click - voting in support of a superior product.
This is a no brainer.
A Java based exploit can turn netscape browser into a server.
That oughta last about 3 seconds until Java locks up the netscape process.
Most Windows people have no idea how pathetically unstable Java for linux is.
What a colossal load of absolute crap. First off, I am as pro-open source as anyone else, but this type of fanaticism makes me sick. You're telling me I should use a product that has been essentially forgotten by its creators to further political goals? No frigging way. I loathe Microsoft for everything they stand for, and I don't trust their product as far as I can throw it, but there is no damn way I will use a substandard product just to spite them. I run a weblog and ditched Netscape after losing my seventh article due to an unexpected and completely random bail, so if by switching to a clearly superior product that actually matters to its developers I am nurturing the tool of Satan, then I'm happy to do so.
It's ridiculous statements like yours that give OSS proponants a bad name, because by your own admission, quality of product has absolutely no meaning as long as you're screwing Bill in the process. Since when do OSS pundits argue for the purchase of commercial software like Opera? Sounds like pure politics to me. And guess what, I do develop for IE more than anything else simply because the viable alternatives either expect me to shell out hard earned cash I don't have, or have neglected the product to the point of borderline uselessness. Opera makes a great browser that nobody will ever know about because it's commercial software with free alternatives.
Netscape's outright loss in the web browser war has less to do with Microsoft's monopoly than it does AOL's complete neglect of a once desirable product, and if NS6 PR1 is any indication, nothing has changed. Standards compliance means precisely jack if the damn thing is slow, crashy or just plain unusable for any combination of reasons.
I hope you enjoy playing politician while the vast majority make choices based upon quality of product.
---
Slashdot: News For Zealots. Stuff That's Hypocritical.
With Napster on the verge of being shutdown this exploit comes at just the right moment in time! Why bother with Gnutella or Freenet when the peer-peer sharing application IS ALREADY ON YOUR COMPUTER!
See, after all the berating of activex/vbscript bugs in outlook that allowed the new "worm" breed or viruses to plague Windoze users, now we have something nasty to send the *nix users who read email with Netscape and have html/java turned on ;)
(of course, us Mutt or Elm users are still safe *grin*)
--
Sinepaw.org: Grape Winos
That Netscape is the worst browser ever. Quote from his article: "Today a bug was reported in Netscape, versus none reported today for IE. That proves that Netscape is the worst browser ever!"
-------------
The truth is out th- oh, wait, here it is...
This exploit is possible because of two factors.
k et.]: cannot access 8080
e n
e d Code)
e d Code)
p iled Code)
p iled Code)
p iled Code)
i led Code)
The first problem is that Netscape's SecurityManager does not throw a SecurityExecption when the BOServerSocket constructor creates a java.net.ServerSocket. Here's the exception thrown in IE:
*******************************
com.ms.security.SecurityExceptionEx[BOServerSoc
at com/ms/security/permissions/NetIOPermission.check
at com/ms/security/PolicyEngine.deepCheck
at com/ms/security/PolicyEngine.checkPermission
at com/ms/security/StandardSecurityManager.chk
at com/ms/security/StandardSecurityManager.checkList
at java/net/ServerSocket.
at java/net/ServerSocket.
at BOServerSocket.
at BOHTTPD.init
at com/ms/applet/AppletPanel.securedCall0
at com/ms/applet/AppletPanel.securedCall
at com/ms/applet/AppletPanel.processSentEvent
at com/ms/applet/AppletPanel.processSentEvent
at com/ms/applet/AppletPanel.run
at java/lang/Thread.run
***********************************
After the ServerSocket is created, a SecurityException _is_ thrown whenever the BOServerSocket calls implAccept, but this Exception is easily caught. Also, by the time the Exception is thrown, the damage is already done. Here's the Exception:
************************************
netscape.security.AppletSecurityException: security.Couldn't connect to '127.0.0.1' with origin from '216.61.198.249'.
at java.lang.Throwable.(Compiled Code)
at java.lang.Exception.(Compiled Code)
at java.lang.RuntimeException.(Compiled Code)
at java.lang.SecurityException.(Compiled Code)
at netscape.security.AppletSecurityException.(Compil
at netscape.security.AppletSecurityException.(Compil
at netscape.security.AppletSecurity.checkConnect(Com
at netscape.security.AppletSecurity.checkConnect(Com
at netscape.security.AppletSecurity.checkConnect(Com
at netscape.security.AppletSecurity.checkAccept(Comp
at java.lang.SecurityManager.checkAccept(Compiled Code)
* at java.net.ServerSocket.implAccept(Compiled Code)
at BOServerSocket.accept_any(Compiled Code)
at BOHTTPD.run(Compiled Code) at java.lang.Thread.run(Compiled Code)
************************************
So, to recap: 1) Netscape does not throw a SecurityException when a ServerSocket is created in BOServerSocket., and 2) the connection is made by the time the exception is thrown in ServerSocket.implAccept().
#1 is Netscape's fault. They haven't implemented their security policies correctly, specifically that a ServerSocket can't listen on a port in an unsecure applet. #2 is definately Sun's fault because the SecurityException can easily be circumvented by overloading Socket.close().
Bravo to the grey hat for finding this!
Under *nix, yer stil pretty safe. Only running Netscape as root would truly expose you. And no one is stupid
enough to do that, right? Well... maybe Red Hat users.
Actually, netscape is used as the UI to a number of sysadmin utils including up2date. (And, yes, it does run netscape as root.)
Is it me or does this seem easier to setup than editing /etc/vfs/vfstab to export /export/blah - now if only we could get NIS to adopt this for automounts we'd be set for NIS on a WAN !!! (except for the minor issue that anyone can read a file - but life has it's trade offs....)
Wheeeee
I paid $20,000 for a Chevy, so I am clearly that stupid.
---
Slashdot: News For Zealots. Stuff That's Hypocritical.
"WHOA! I just saw a Windows 2000 system that was still running BOHTTPD even after Netscape had been apparently terminated. Even the "Task Manager" showed no trace." Thats very interesting.
Liberty.
Huh? What is "untrusted software"???
Do you "trust" code you find on rpmfind.net?
Do you "trust" code you download from sourceforge?
There is no such thing as "trusted" and "untrusted" code, so get over it. The closest you are going to come is open source, where the chances of a whistleblower making a call on bad software is substantially higher.
As for alternate methods for running so called "untrusted" code, there are many approahces outside of sandbox models, including ML's proof-carrying approach (yes, I actually read one of the essays Tom7 keeps linking to).