VIRUS ALERT: Java virus that affects Netscape 2.0 & 2.01.
WHO IS AFFECTED BY THIS ALERT? ------------------------------
Users of Netscape Navigator 2.0 or 2.01. To determine what version of Netscape you are running, do the following:
1. Open Netscape Navigator. 2. Pull down the Help menu. 3. Click on About Netscape. 4. Check to see if you have version 2.0 or 2.01. If so, read on. If not, then you can not be affected by this alert.
WHAT IS THE PROBLEM? --------------------
There have been reports lately of a hostile Java applet (a Black Widow Java applet called JAVA) that is downloaded and executed automatically when certain sites are visited with Netscape versions 2.0 or 2.01. Java applets are small applications that are automatically started when you access certain web pages. This particular Java applet is a malicious program that can destroy data, interfere with your network, and possibly even upload sensitive material to a third party.
WHAT SHOULD YOU DO? -------------------
Upgrade to Netscape Navigator 2.02.
WHAT SHOULD YOU DO IF YOU CAN'T DOWNLOAD VERSION 2.02 RIGHT NOW? ----------------------------------------------------------------
You can temporarily protect your PC or Macintosh by disabling the Java functionality. However, this should only be a short-term fix as many legitimate web sites make use of Java applets. To disable the use of Java applets, do the following:
1. Open Netscape Navigator. 2. Pull down the Options menu. 3. Click on Security Preferences. 4. Under General, place a "X" in the Disable Java and the Disable Java Script boxes in the Java window. Click on OK.
After upgrading to the latest version of Netscape Navigator (version 2.02), re-enable the Java applets by doing the following:
1. Open Netscape Navigator. 2. Pull down the Options menu. 3. Click on Security Preferences. 4. Under General, remove the "X" in the Disable Java and the Disable Java Script boxes in the Java window. Click on OK.
We've reached urban legend time for Java...? There is no Java virus known as "Black Widow". There was a melodramatic web article about Java security that used the title "Black Widow", a pun on the web. The article focused mostly on the danger of denial-of-service applets that consume resources on the client. While rude, annoying, and potentially the cause of losing unsaved edits in a word processor, (if you were flumoxed and panic'd and instead of killing your browser, you rebooted your computer and lost any pending edits) denial-of-service applets are *not* viruses. And they are not stalking the web. Really. I work on Java security at JavaSoft which is part of Sun, and try to keep our web page up to date. See http://java.sun.com/sfaq/ for info. In the "for what it's worth dept", the security breaches that have gotten so much press are fixed in JDK 1.0.2, our current release, and in NN3.0b4. This includes the bug mentioned in the May 18 NY Times story. Marianne
Marianne Mueller writes:
In the "for what it's worth dept", the security breaches that have gotten so much press are fixed in JDK 1.0.2, our current release, and in NN3.0b4. This includes the bug mentioned in the May 18 NY Times story.
The problem, Marianne, is that Java security has become a total industry joke. When Java came out, we were assured it was secure. Then we were assured it was Beta software but real Java as released would be secure. Then we were told that it was mostly secure, and anyway bugs are fixed quickly, and anyway they aren't serious in general, maybe. In short, you are starting to look very defensive and very unreliable. The bugs show up on a weekly basis. This is because the underlying security model is flawed. No amount of denial on your part is going to fix that. Sadly, Java hype has become a giant industry, and the hype machine assures that honesty about Java is going to continue to decline. Java has become a major stock booster for Sun and other companies. Congenital Java security holes aren't going to get serious attention because whether one likes it or not Sun's stock is impacted by the whole thing. Perry
Hype about Java and a move to a policy based security mechanism are not incompatible. Perry's security model will probably be NO Java, NO Livescript. Mine might be only Java signed by McAffee can get more than 3 seconds of CPU time, or access remote network ports on the server it came from, no other code can run. Adam Perry E. Metzger wrote: | Sadly, Java hype has become a giant industry, and the hype machine | assures that honesty about Java is going to continue to decline. Java | has become a major stock booster for Sun and other | companies. Congenital Java security holes aren't going to get serious | attention because whether one likes it or not Sun's stock is impacted | by the whole thing. -- "It is seldom that liberty of any kind is lost all at once." -Hume
Actually, a more canonical Perry policy would probably be to only allow code signed by Perry (or the security audit team) to be executed [trust only yourself] vs [trust nobody, not even your self] Simon
-----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be Marianne Mueller wrote: : : We've reached urban legend time for Java...? : : There is no Java virus known as "Black Widow". There was a melodramatic : web article about Java security that used the title "Black Widow", a pun : on the web. The article focused mostly on the danger of denial-of-service "Black Widow" was the calling card of a little script called 'latro' that exploited the stupidity of certain webmasters who put perl.exe in the cgi-bin directory on PC-based webservers. The default code to execute on the remote machine was: print "If I were nasty, you'd be spiderfood by now.\n"; print "\n\n\t--the black widow\n"; - -- Mark Rogaski | Why read when you can just sit and | Member GTI System Admin | stare at things? | Programmers Local wendigo@gti.net | Any expressed opinions are my own | # 0xfffe wendigo@pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaU7oA0HmAyu61cJAQGxHQP+OkDD+v4FhAQynhI4V2GpwilaOEoxlow0 Y5s1g8YkIYuApvxAU8eyFfqmlp8fG1rnc4mITXmvYGj66Wy5L/n2npfXTo45KAHc VRr7qT7HeEFwgunMCnJcZ+7CtlAKpXn6siuenUEl4gqRjApmFI/pLSXna4sbG4v8 1tNAcyOITmk= =McGt -----END PGP SIGNATURE-----
participants (6)
-
Adam Shostack -
gcg@pb.net -
mrm@netcom.com -
Perry E. Metzger -
Rev. Mark Rogaski -
Simon Spero