CNET también está disponible en español.

Ir a español

Don't show this again

HolidayBuyer's Guide
Internet

"Black widow" scare on Web

A report on a new breed of "hostile Java applets" has triggered the cyberspace equivalent of War of the Worlds.

Malicious hackers have unleashed a brood of deadly "black widow" Java applets on the Net. Sort of.

A report from a consultancy late last week on a new breed of "hostile Java applets" posted to the Net has triggered the cyberspace equivalent of the War of the Worlds, with dozens of concerned users circulating the report through email and Usenet discussion groups across the Internet.

Java's creator, Sun Microsystems, has attempted to douse the panic by saying that the software poses no greater threat than any other executable content on the Internet. But the company took the "black widow" scare seriously enough to post a notice on its Web site Friday, alerting users to the negative effects of hostile applets and pointing to sites that are actually hosting them.

The majority of these applets perform what Sun is calling "denial of service attacks." Such applets have code downloaded from Web pages that causes a user's browser or operating system to freeze up by devouring all of the computer's memory or CPU power.

Sun maintains that it has known about the possibility of denial of service attacks since Java's inception but that they're extremely difficult to prevent. Nevertheless, the company is investigating ways of limiting the amount of system resources an applet can use and is setting up systems to let third-party companies "certify" applets by verifying the correct use of Java code.

"We are looking at ways to set up resource limits," said Marianne Mueller, a security expert at Sun. "The other thing we're working on is code-signing techniques so that people can configure a browser so that it only executes trusted applets."

The company will detail its security efforts at the JavaOne developer conference in San Francisco later this month, officials said.

The ruckus was set off by a report entitled, "Warning: Deadly Black Widow on the Web: Her Name is Java," published by consultancy Home Page Press. The report said hackers had created "hostile Java applets that are stalking the Web" and bringing users and systems to their knees by consuming memory and CPU resources.

Denial of service attacks are distinct from a series of other Java security problems uncovered by a Princeton University professor earlier this year, which Sun says it has since fixed.

In the meantime, the threat of hostile applets would probably put H.G. Wells to sleep. All of the Web sites identified by Sun as hostile Java applet hosts were created by academics wanting to illustrate the potential for negative uses of the programming language, not nefarious hackers bent on causing havoc.

"Chances are good that with Java, major security flaws will be discovered for years to come. Hostile applets are my way of pointing out the inherent dangers in such as enterprise," said Mark LaDue, a Ph.D. candidate at Georgia Tech University who has posted the Hostile Applets Home Page. "The solutions that Sun proposes [for Java] will work to a certain extent, but it will take a lot of time and effort to implement them."

One applet hosted on LaDue's site displays a message that reads, "I'm a friendly applet!" then continues to launch new windows while repeating the sound of a train whistle, eventually crashing a user's system.

LaDue and the other computer scientists involved have created these applets to illustrate potential problems, not cause them. But by so doing, some security experts say they may have opened the door a little wider for malicious hackers who could abuse the technology and the information.

"I thinks this is a completely new situation where the Web itself is providing this ongoing Q&A on its own technology. The technology is documenting itself," said Stephen Cobb, director of special projects at the National Computer Security Association. "We're seeing people demonstrating problems that exist with this technology. [Java] itself is problematic, but that is no different than any powerful enabling technology. Powerful technology can be abused."