After telling CNET's NEWS.COM yesterday that its software was not affected by a reported Java flaw, Netscape Communications (NSCP) backtracked today and said the problem in fact exists and will be patched in the upcoming version of Communicator.
The admission also clears the conscience of Ben Mesander, the Colorado-based Java programmer whose Web site demonstrates the bug, which also affects versions 3.x and 4.0 of Microsoft's Internet Explorer. Mesander temporarily disabled his demonstration yesterday because consultations with Netscape convinced him that his test was flawed, as reported yesterday. He has since reactivated the demonstration.
The bottom line is that Netscape's version of the Java Virtual Machine--the software that allows a browser to understand and run Java applets--allows applets to make connections to servers other than their own hosts and download files. This violates the Java security model, which doesn't permit applets to make such "third-party" connections. The circumstances under which this can happen in the Netscape environment are highly specific and only permit access to image and sound files, Netscape representatives said today.
As for the reversal, "new information came to light late last night," said Netscape senior security product manager David Andrews. Despite Monday's denial of buggy software, Netscape engineers continued to consult with Mesander, whose demo applet seemed to indicate that Netscape's implementation of the Java Virtual Machine in its browsers violated the Java security model. After consulting with Netscape all day Monday, however, Mesander issued a mea culpa on his Web site that affirmed Netscape's claim that his test applet was itself buggy and was producing a "false positive" on Netscape products.
After Monday's late-night consultation, Mesander rescinded his apology today, and Netscape now says Mesander's applet was fine but that his interpretation of the results it produced was "too broad."
"They didn't like my applet," Mesander said today, "but they acknowledged that it worked and that it demonstrated the bug."
To exploit the hole, a programmer must use the URL of the targeted file to create an applet and corresponding code on the applet's host server. Furthermore, the unsuspecting browser user must go to the programmer's Web site and download the applet, and the user's browser must be connected to a proxy server within a company firewall.
As unlikely as these variables seem, Netscape nonetheless will fix the bug in Communicator 4.02, the upcoming version for Mac and Windows that will ship with Netcaster. (See related story) Communicator 4.02 for Unix has already been posted and will be patched in the next maintenance release. Representatives did not give a specific date.
All browsers use a Java Virtual Machine to interpret and run Java applets. Not all JVMs are alike, however, and the different implementations are suited to fit the needs of the platform the browser is on. This explains why browsers don't necessarily hew to the standard Java security model.
Under the current Java security model, Java applets downloaded by users are only allowed to communicate with the servers that host them, according to JavaSoft, the division of Sun Microsystems in charge of Java development. If an applet attempts a connection to another host, a "security exception" warning occurs and the applet is aborted.