Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java/Script Alert: Cross-Platform Browser Vulnerability

Posted by timothy on from the vermin-at-work dept.

Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are vulnerable to remote command execution. This has been tested on Microsoft, and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)

6 of 314 comments (clear)

  1. Java is not a word for javascript. by Breakfast+Pants · · Score: 0, Redundant

    They are very different and a vulerability in a browser's implementation of javascript does not imply a problem "in the Java security model itself."

    --

    --

    WHO ATE MY BREAKFAST PANTS?
  2. Re:All the more reason to avoid ALL java by 5.11Climber · · Score: 0, Redundant

    The vulnerability is related to javascript and not java. The article is a little misleading!

    --
    Arf!
  3. Java or Javascript? by Charles+Dodgeson · · Score: 1, Redundant
    The article seems to be confused (or at least confusing) on this point. It mumbles about Java, but gives JavaScript examples. I suppose that some Javascript may be being used to do something nasty with Java, but I simply don't get it.

    Can anyone who knows about this sort of stuff point to a more credible analysis?

    --
    Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
  4. Then by big_groo · · Score: 0, Redundant
    - turn it off.

    I do.

  5. WTF?! by tundog · · Score: 1, Redundant

    the problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability.

    "Holy security through obfuscation batman!". JavaScript has NOTHING to do with the Java(tm) programming language, let alone the 'security model'. I'd have expected better from slashdot editors...

    --
    All your base are belong to us!
  6. MOD parent up! by Kynde · · Score: 0, Redundant

    That's a slam dunk. Don't get me wrong, I'm a mozzy user myself, but this guy nails the "ironic discussion" with post that is, like another poster said, both funny, insightful and informative.

    --
    1 Earth is warming, 2 It's us, 3 it's royally bad, 4 we need to take action NOW