In a reemergence of the scare over "black widow" or "rogue" applets designed to crash PCs, Sun Microsystems hastened today to reassure users that Java does not pose a significant security threat. Maybe a few inconveniences, but not a threat.
Sun issued its statement after Australia's largest telecommunications company, Telstra, requested that its Web-enabled employees not use Java-compatible browsers because of security concerns.
"We specifically instructed employees that if they go out into the big world of the Internet, they should turn off the Java capability of their browsers," confirmed Mark Ames, Telstra's national manager for security standards and architecture. He estimated that the policy only affects about 200 employees because most are still working on Windows 3.1 systems, which can't run Java.
Sun executives acknowledged the existence of "denial of service" applets that hog resources and crash systems--not unlike what happens when too many applications are open at the same time. Such applets are "annoying and tedious" but pose no security threat, according to Sun.
But many fear that hackers could program the applets to deliberately use up a PC's resources to the crash point or, worse, using applets to gain access to a private system.
"We're not aware of any so-called rogue applets," said Javasoft product manager David Spenhoff. "There are not rogue hackers finding flaws and exploiting them."
Separately from the rogue applet question, university researchers working with the Java source code have been able to find ways of circumventing the Java security manager that "sandboxes," or contains, Java applets within their intended functions. Granted, the methods they describe using to achieve this are highly arcane and not likely to be discovered by the average hacker. However, even the discovery of such flaws, combined with the sheer newness of the technology like Java, has worried many companies.
Ames says that as soon as the Java development people are satisfied that there aren't any risks from running applets, the company will rescind its policy against the use of Java. Spenhoff is scheduled to fly to Australia next week and presumably will try to persuade them that Java is perfectly safe.