On Fri, 9 Feb 1996, Jeff Murphy wrote:
> in netscape, you open a URL .. http://www.foo.com/applet.html
>
> and it downloads an applet.. the applet attempts to open a socket
> to 'firewall.your.com' and it fails... because the socket class that
> is available via netscape only permits it to connect to the host
> designated in the above URL. if you can use IP spoofing to change the
> URL listing in the "Location:" box of a browser.. i'd be fairly impressed.
>
It's not in the box on the screen that it gets this though, it's in storage,
and with Netscape 2.0 you can run plug-in modules. PCs running Win*, and
Macintoshes runing System* don't have application level protected memory,
right? So, all I need is a plug-in that sits around and waits for the
Java code to start executing and overloads one of the standard callback
functions with evil code, no? It's been forever since I did any Win*
development, but unless things have changed quite significantly, all
it would take is "click here to get the nifty plug in", "Install the
nifty plug-in", "Go to the gee-wizz-neat-o java site from the nifty plug-in"
I'd think that mime apps are the same sort of risk, and it really doesn't
take Java to do this, but it sure is nice to be able to modify the attack
code without getting the user to download new code each time, and run an
installation.
I'd *really* like to see a version of Netscape, and a few other popular
desktop TCP/IP apps that woudn't run code (including itself) that wasn't
signed by a site administrator with a digital signature/checksum. Hell,
I'd pay extra for that! If another vendor offered a trade-in on
registered Netscape browsers, and had this functionality, they'd get my
business exclusively (hint, hint -- it's worth a try).
> after think about it a bit more than i really wanted to.. i dont see how
> an applet can get around only being able to connect to www.foo.com.
>
After thinking about it for a lot longer than I really wanted to, I think
that other than doing some CNAME or other DNS aliasing that someone else
has already explored (wonder what the code actually checks for? Was this
in the alpha release? I may still have that code somewhere...) there's much
more harm to be done with plug-ins, mime types, rouge DLLs, message handlers,
and callbacks. That doesn't mean that I'm thrilled with Java opening sockets
though.
Paul.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
Follow-Ups:
References:
|
|
