Wired Wired West -- JAVA Security

JAVA Security

Intellectual Property

Information Warfare

JAVA Security Issues

What is JAVA?
What security concerns are there?
What can I do to protect myself?
Recommended Reading

What IS JAVA?

Java is a revolutionary programming language developed by SUN Microsystems. It allows ambitious programmers to add
animation, interactive features such as calculators or games, and scrolling text bars.

The real appeal of JAVA is that it works across platforms. In other words, JAVA allows programmers to write one application that will work on Windows95, Macintosh, and other Web-based platforms.

You have probably already seen JAVA at work even without realizing it. Some of the more exciting and advanced web sites use JAVA to 'jazz' up their appearance. For a good idea of what JAVA can do, check out SUN's Cafe de Sol. They have a list of JAVA applets (programs) that you can view online or download.

The key thing to understand about JAVA for security purposes is that it is a multi-platform programming language that allows web sites to run programs on your computer that will enhance the interactiveness of the site.

What Security Concerns are There?

JAVA is a security concern because web sites often run programs without the user's knowledge. 99% of the time, this is not a problem as the majority of sites run only safe and secure JAVA applets that are designed to enhance your web experience. However, there is still the risk that in the future the number of 'hostile' applets or java programs could rise and wandering into one of the 'dark alleys' of the web could get you in trouble.

Hostile JAVA applets are divided into four categories:

System Modification -- otherwise known as Attack applets. These programs can modify your system and delete files.

Invasion of Privacy -- otherwise known as malicious applets. These programs can read information from your files and send it to a main server for collection purposes. Other possibilities include sending mail with your e-mail address.

Denial of Service -- These applets attack your system by clogging up its resources (i.e. running infinite loop programs, or impossible to solve math problems). This will effectively deny you the use of your computer. Other applets have been written that would 'borrow' your cpu resources without you knowledge for work on a large 'supercomputer' type problem.

Antagonism -- Generally annoying programs. Consequences are weak and usually just involve resetting the browser.

What Can I do to Protect Myself?

The best protection against JAVA applets is to know who you are dealing with. Web users should exercise caution when visiting unknown sites. The 'city' metaphor is appropriate here again. If you stick to the brightly lit and well traveled sections of the web (i.e. corporate sites, larger sites, sites you know others have been to safely, etc.) you should be o.k. It's when you travel some of the darker alleys and corners of the web that you risk getting hit by a malicious applet.

Another option is to disable JAVA altogether or have it warn you before it runs an applet on your computer. A recommended option is to download the JAVA filter from Princeton's Safe Internet Programming group. This program allows users to control which JAVA programs are run on their system without completely disabling it from their browser.

The other option is to disable it completely from your browser. To do this, locate your browser below and follow the instructions to disable JAVA programs from being run at all. This is best used when you know you are going to an untrusted site and only temporarily. If you leave JAVA disabled, you may not be able to fully enjoy many of the other safer and more mainstream sites.

Netscape Navigator 2.0x -- Open the Options menu and select security preferences option. Click the 'Disable Java' button (it is disabled when it is pressed in).

Netscape Navigator 3.x -- Open the Options menu and select the Network Preferences option. This will open a tabbed window. Select the Languages tab. Click the button that says 'Enable Java". JAVA is enabled when this button is pressed in.

Netscape Communicator 4.x -- Open Edit and select Preferences and than Advanced. On the first window, is an option to Enable JAVA and Enable JAVAScript. Remove the check from both of these boxes.

Internet Explorer 3.x -- Open theView menu and select Options. This will open a tabbed dialog window. Select the Security tab. At the bottom of the window is a box for Enable Java Programs. Remove the check.

Recommended Reading

JAVA Security FAQA detailed Frequently Asked Questions file from SUN Microsystems that goes into the technical details of how JAVA applets can be used for malicious purposes.

Real Grounds for JAVA JittersA short article from Peter Coffee that originally appeared in PCWeek Magazine. Coffee argues that internet users and system administrators should not be complacent about the risks from JAVA.

Hostile Applets on the HorizonA comprehensive review of hostile applets that attempts to explain how they work. The authors have included the source code for nine possible hostile applet attacks to give advanced users an understanding of the security issues.

Last Modified on February 18, 1998 by Greg Schnippel