Java/Script Alert: Cross-Platform Browser Vulnerability

Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are vulnerable to remote command execution. This has been tested on Microsoft, and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)

Java or Javascript?

[Charles+Dodgeson]

The article seems to be confused (or at least confusing) on this point. It mumbles about Java, but gives JavaScript examples. I suppose that some Javascript may be being used to do something nasty with Java, but I simply don't get it.

Can anyone who knows about this sort of stuff point to a more credible analysis?

WTF?!

[tundog]

the problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability.

"Holy security through obfuscation batman!". JavaScript has NOTHING to do with the Java(tm) programming language, let alone the 'security model'. I'd have expected better from slashdot editors...