X

Hostile applet not so hostile

A security alert issued by a company that sells Java security tools about an allegedly hostile applet turns out to be a false alarm.

CNET News staff
4 min read
A security alert sent to the media warning of a hostile Java applet loose on the Internet has turned out to be a false alarm, but the incident underscores the industry's skittishness over security breaches opened by the use of Java and Internet applications.

Finjan Software, maker of an "alarm system" that warns Web surfers of suspicious applets, notified the press Monday that it had discovered a hostile Java program on one of America Online's member Web sites. The company reported that the applet could scan a user's hard drive and then connect to an unknown computer on the Net.

But the author of the applet and Sun Microsystems say Finjan misrepresented the applet, a graphical game called Spirograph, in two ways: by mischaracterizing the applet's activity and by reporting that it was "hostile," or created with malicious intent.

Finjan called the applet the first real-world example of a hostile applet, a class of Java programs that inflict offensive acts on a Web surfer's PC, such as launching a barrage of new windows until a system crashes. Such programs--which Sun calls "denial of service" applets--and other Java security bugs have so far been witnessed only by computer science experts illustrating potential loopholes in Java. No real examples created by malicious hackers have been discovered.

Nevertheless, many users continue to be scared of the theoretical security risks, and this fear has opened a window of opportunity for software tools that promise to plug Java security holes. One such product is Finjan's SurfinBoard, a companion application for Web browsers that blocks out or at least closely monitors applets.

For obvious reasons, Finjan was excited to be able to alert the press that it had found the first example of a hostile applet outside of the rarefied Web pages of computer science experts. "Unlike previous suspicious applets that have been created and detected in controlled environments, this applet is out there in the 'real world' of cyberspace," the alert stated.

Not so, protested the applet's author. "What they are saying is completely untrue," said Anu Garg, an Internet consultant at AT&T Labs and the creator of Spirograph. "This doesn't do any unscrupulous activity."

Although Finjan discovered the applet on an America Online site, it originated on Garg's home page on a different server. According to Sun officials who analyzed Spirograph, the applet attempts to retrieve a sound file from Garg's server, an action that triggered Finjan's alert.

In fact, Spirograph's attempt to call a file from another server is denied by Java's built-in security manager, which is a kind of digital gatekeeper that prevents risky moves such as reading or writing files to a user's disk. When Java's security manager blocks an applet from performing an action, Finjan's SurfinBoard sounds an alarm.

Sun representatives say that Java's security manager is, if anything, too stringent and that Finjan's product only alerts users to a risk that Sun's software has already averted.

"All [the applet] is trying to do is get an audio clip," said Marianne Mueller, a security expert at JavaSoft. "That's a perfectly innocent thing for an applet to do. Either Finjan doesn't understand technically what's going on, or they are making a mountain out of molehill."

Finjan acknowledged that Java's security manager bounces risky applets. But the company points out that researchers have found bugs in the security manager that make additional precautions such as SurfinBoard necessary. Even if the security manager does what it's supposed to do, SurfinBoard draws the user's attention to misbehaving applets, the company said.

"[SurfinBoard] shows the possibility of an illegal connection being made," said Aryeh Green, director of marketing for Finjan. "SurfinBoard raised a flag."

Many users, particularly information systems managers at large companies, have noticed that flag, and they are not taking any chances, no matter what Sun says.

"[IS managers] are very cautious about Java," said George Kurtz, a security consultant at Price Waterhouse. "It's prudent to tread lightly. Java is relatively new. Looking toward the future, there will be additional vulnerabilities in it."

Related stories:
Digital certificates planned for Java
Some fear one bad applet spoils batch
Firm throws down Gauntlet on Java
Sun counters Java ban down under
"Black widow" scare on the Web
Netscape posts fix for security bug
Another Java bug creeps out
Netscape preps security patch
Is the Net secure?
RealAudio coverage: CNET Radio