|
PureBytes Links
Trading Reference Links
|
Bob Brickey has published this very valuable warning regarding the
IE 3.0.
Anyone who wants to check further on this and other security
subjects should have a look at
http://www.digicrime.com/
Have fun and suspense. (not for the faint hearted)
Gerrit Jacobsen
> First, It's important to distinguish between Java
> applications and applets. Both wirtten in Java,
> applets are compiled bytecode files residing on the
> host machine which are d/l'd and executed within the
> Browsers environment. This is done by the ClassLoader
> puting the bytecode into memory and then being verified
> so as not to violate security restrictions. Some of those
> restrictions are the inability to read/write to the local
> filesystem. Java applications, OTOH, have the potential
> to do more harm because there is some level of trust
> assumed between the remote host and the local host. RMI,
> remote method invocation, does what it suggests.
> Look, i'm not trying to start an out-of-context
> thread in this list, and i'm sure that there are devious
> little madhackers chipping away at potential loopholes in
> the Java Spec. But the fact is that it's going to take more
> than a malicious webmaster to mung up your machine.
> Java applets running in a browser that don't prompt
> you for any input or send anything back to the remote host
> are harmless. perod. If you're not comfortable with that, you can
> disable it. just my .02 lantern@xxxxxxxxx
>
>
>
> On Tue, 24 Feb 1998, Jim Lovejoy wrote:
>
> > Thanks for the warning! I personally use IE4.0 without Active
> > Desktop and have not had one problem with it yet on Win95 OSR2.
> >
> > Question...
> >
> > It was my understanding that Javascript (being a scripting
> > language) is not dangerous. Mainly because it is embedded in html
> > and not a downloading executable. Is this true?
> >
> > On the other hand Java applets (small executable programs) have
> > the potential to damage but no one has figured out away yet. This
> > is because Java was not designed to machine level like C or CGI.
> > Is this true?
> >
> > Just want to make sure my facts are right.
> >
> > Jim Lovejoy
> > fastgroup@xxxxxxxxxx
> > Pain is inevitable... Misery is optional.
> > -Unknown
> >
> > -----Original Message-----
> > From: Scientific Approaches <sci@xxxxxxxxxx>
> > To: Omega Mailing List <omega-list@xxxxxxxxxxxxxxx>
> > Date: Tuesday, February 24, 1998 2:37 PM
> > Subject: Internet Explorer 3.0 Warning
> >
> >
> > >This doesn't have anything to do directly with trading, but
> > >almost everyone on this list uses web browers, so you may find it
> > >interesting.
> > >
> > >Hoaxes about how email viruses can damage your computer and other
> > >such things are prevalent on the Internet. Almost all such
> > >stories are total nonsense.
> > >
> > >However, there is a significant risk you should be aware of.
> > >Microsoft Internet Explorer Version 3.0 has a major security hole
> > >that allows any webmaster to take control of your Windows desktop
> > >- including accessing any confidential files on your computer.
> > >Webmasters can do almost anything you can do sitting at your
> > >computer. They can upload files, download files, search and
> > >replace text in files, delete files, and run programs. They can
> > >leave software that will give them repeated access each time you
> > >log back
> > on
> > >the Internet in the future.
> > >
> > >The problem was a major embarrassment to Microsoft. Microsoft
> > >released Version 3.01 to fix the problem, but within hours a
> > >teenager in California circumvented their fix and published a
> > >work-around on the web. Microsoft then released Version 3.02 to
> > >block his work-around.
> > >
> > >If you are using MSIE 3.0, seriously consider updating either to
> > >3.02 (a small update) or to 4.x (a major upgrade, and one I don't
> > >recommend if you are using Win95 or WinNT). Another option is to
> > >switch to a Netscape browser (my personal preference). You can
> > >obtain free Microsoft browsers from:
> > >
> > > http://www.microsoft.com/
> > >
> > >and free Netscape browsers from:
> > >
> > > http://www.netscape.com/
> > >
> > >However, you should know that all HTML 4.0 compliant browsers,
> > >including recent versions of both Microsoft and Netscape
> > >browsers, expose your computer to malicious damage, because they
> > >support the automatic
> > downloading
> > >and execution of small computer programs, called applets, that
> > >add pizzazz to many web sites. Simple applet programs do such
> > >things as change the color of a button when the mouse cursor
> > >moves over it or display a message in the status bar to give web
> > >site visitors more information about a link. They can make web
> > >pages bounce, shimmy, sing and gyrate. They also are commonly
> > >used to do such things as validate forms before visitors submit
> > >them and to produce sophisticated graphics animation. They
> > >provide the means to do lots of "neat" things, but they also
> > >provide the means to automatically download and execute programs
> > >you won't even know about that can damage your computer.
> > >
> > >Restrictions have been imposed on what automatically downloaded
> > >applets can do, but they can be circumvented by knowledgeable
> > >programmers. You can protect yourself from that risk by
> > >switching off applet support in your browser setup options. The
> > >terminology is different in different browsers. Look for
> > >JavaScript, Jscript, Java Applet, VB, or ActiveX support. You
> > >may not want to do that if you like the gimmicks on leading-edge
> > >web sites, but it eliminates the risk of potentially nasty
> > >consequences.
> > >
> > > -Bob Brickey
> > > Scientific Approaches
> > > sci@xxxxxxxxxx
> > >
> >
>
>
|