Java/Script Alert: Cross-Platform Browser Vulnerability

Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are vulnerable to remote command execution. This has been tested on Microsoft, and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)

WTF, over?

[alecto]

WHAT, exactly does the Java security model have to do with JavaScript--an unfortunately named, but totally different, animal?!

so which is it?

[jeffy124]

Headline says Java, writeup says JavaScript, Hemos update references both. Turning off JavaScript does not affect the Java plugins. Turning off the Java plugin does not turn off JavaScript.

So which is it?

Re:Obligatory rant

[Kircle]

The article is incorrect. It states:

"New bugs were discovered in Netscape's implementation of Java has been found which allows a remote site to read any file on the client machine and to set up a Java server which anyone can connect to. Brown Orifice HTTPD starts a Java server which allows others to read files on your machine." Fix: Disable Java immediately

Netscape does not have an implemention of Java. It does, however, have an implementation of JavaScript.

Re:Then

[Ken@WearableTech]

I have an infected toenail. It is real sick with lots of stinking puss and black fur.
Should I...

A: Take AB Meds
B: Cut it off

B?

Re:"Macintosh may also be vuln."

[antdude]

RTFA. I copied and pasted it.

Forgot about IIS & Apache Web Server?

[SilentMajority]

Nice try but your "logic" (lol) fails the obvious test.

IIS has smaller marketshare than Apache Web Server, yet MANY more IIS vulnerabilities have been discovered and MS took a LOT longer to fix/patch IIS than Apache.

trainwreck

[anotherone]

Between the awful writing in the article, the broken examples, the Java/Javascript confusion, and the contrarian IE-is-safe-but-mozilla-isn't thing; this may very well be the worst slashdot story ever.

You must be joking

[bgarrett]

One of the linked pages provides a list of several vulnerabilities, one of which was announced recently.

If slashdot is going to post stories for subscribers well in advance, can it put some of its filthy lucre toward hustling some subscriptions from computer professionals of long experience, people literate in the English language, and other hard-to-find folks to fact-check BEFORE yet another elementary blunder makes the front page?

Fixed in Mozilla 1.3?

Hmmm... I just clean installed Mozilla 1.3.1 on WinXP Pro, and the bug still works.

Turing-Complete is Evil

[Tablizer]

The problem is having a Turing-complete language that is sent to and runs on the client. We need acceptance of protocols that work well without needing TC downloadable scripting or applets.

Being TC opens up hacking risks considerably over non-TC protocols.

I have not seen much research on non-TC protocols. I have a pet GUI form protocol called SCGUI that is meant to work effectively non-TC, but there is not much for HTML-based action right now.