Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : All About Sun Microsystems -- Ignore unavailable to you. Want to Upgrade?

To: John Carragher who wrote (15015)	3/29/1999 8:00:00 AM
From: John Carragher	Respond to of 64865

March 26, 1999 Security Experts Announce Flaw In Software Developed by Sun By LISA BRANSTEN THE WALL STREET JOURNAL INTERACTIVE EDITION SAN FRANCISCO -- Software-security experts say a graduate student in Germany has discovered a flaw in software from Sun Microsystems Inc. that could give an outside attacker access to a user's personal computer. The flaw is in a piece of software developed by Sun called the Java virtual machine, which allows the browser to run Web applications written in the Java programming language. The software is used in Netscape Communications Corp.'s popular Navigator browser. Because Microsoft Corp. using a slightly different version of the Java virtual machine, the Internet Explorer browser isn't affected. Edward Felten, director of the Secure Internet Programming Laboratory at Princeton University, said Karsten Sohr, a graduate student at Germany's University of Marburg, contacted him about the flaw several weeks ago. Dr. Felten said he helped Mr. Sohr report the problem to Sun and Netscape, now part of America Online Inc. The Java software has security components designed to limit the operations of code from unknown sources, including Web pages. The flaw involves the part of the code known as the "verifier," which determines whether the code is from a known or unknown source, said Gary McGraw, a software-security expert and vice president of business development at Reliable Software Technologies Corp. in Sterling, Va. Drs. Felten and McGraw are the co-authors of books on Java security, including the recent "Securing Java." Because of the flaw, the gatekeeper could give attacking code some privileges that it shouldn't have; using those privileges, a clever Web programmer could design a site that could harm a user's PC. Li Gong, chief architect of Java security and networking at Sun, said the company was already sending out software to fix the flaw in the first version of the Java "tool kit" that includes the virtual machine. Sun is testing a fix for the second version of the tool kit, which began shipping in December, and should have that fix out very soon, he said. He said that there was no need for Web surfers to panic about the flaw, since there was no indication that anyone had used it maliciously. And, he added, "it's not like someone who reads the news report will be able to figure out how to do the attack." Dr. McGraw said as far as he knew, no one in cyberspace had actually attacked any computers in this way, but added that in their labs, he and Mr. Sohr had staged a "demo exploit" -- managing to gain access to a computer via a Web page taking advantage of the vulnerability. A Netscape spokesman said it was working with Sun to determine how to correct the flaw, adding that the company hoped to have a fix available on its Web site soon. For reasons of safety, it is common practice in software-security circles for vulnerabilities to be widely announced some time after their discovery, once a security fix is available or very nearly ready. Dr. Felten said the flaw was only described generally in order to minimize the possibility of attacks before fixes are available.