CNET también está disponible en español.

Ir a español

Don't show this again


Some fear one bad applet spoils batch

Fears that one bad applet will spoil the batch are driving demand for more Java security.

Sun Microsystems' Java applet language is hot--and hyped--but fears that one bad applet will spoil the whole bunch are driving demand for new network security products that screen for incoming Java applets or block them altogether.

The concerns stem from two separate but related problems with Java. Sun has gotten a lot of bad press for a series of security holes discovered by researchers at Princeton University that could be exploited by hackers to read and write to hard disks over a network, although no such offenses have been reported. The company has also acknowledged that hackers could create so-called "hostile" or "black widow" applets designed to crash a hard disk by consuming all of a PC's resources.

Sun says that this problem, like the security holes, are true but exaggerated. But the possibility of such exploits alone makes some information systems managers leery of having Java anywhere on their internal intranets, which deliver an ever-increasing amount of mission-critical data and applications. Such fears have led at least one large company, Telstra, Australia's largest telco, to ask its employees to disable Java when browsing the Web.

Aiming at just such companies, Israeli firm Finjan will announce the availability of SurfinBoard, a security software tool for the desktop that sounds an alert whenever an applet is on its way or refuses them entirely.

Likewise, Trusted Information Systems announced this week a new version of its firewall security software that can block access to both Java applets and ActiveX components, just as it bars unauthorized outside users.

Although these products speak to real concerns, it's not clear whether they fill a real need or merely feed what Sun would call paranoia.

In its product brochure, Finjan invokes the possibility of downloaded Java applets changing, destroying, or even stealing data and sending it back over the network to competitors.

"I'm all in favor of security tools that are helpful and that don't exaggerate the security threat of Java," said Marianne Mueller, staff engineer at Sun. "Running applets on your desktop PC is a low risk thing. It's a risk to do anything on the Internet, so in terms of risks people are willing to take with things on the Internet, [Java] is low on the spectrum. "

Sun responds that Java is built in such a way that applets cannot function beyond very specific parameters?a feature called sandboxing--and by definition are not allowed to read or write to hard drives. The worst they can do, Sun says, is drain resources and crash a system. "We're working hard to shore up that basic model," said Mueller.

At least one analyst sides with Sun's position that sandboxing works, as long as it is implemented properly by the browser vendor. "No one has found any security openings as long there are no bugs in implementation," said Chris Byrnes, vice president of the Meta Group research firm.

Byrnes does dissent from Sun's argument, however, that hostile applets aren't a problem because no one has found any real examples. He says that programmers haven't had enough time to adequately experiment with applets for anyone to know how Java will be used.

"We also haven't seen any productive applets," he said. "When all you have is animated cartoons, it's hard to make anything destructive."

Related stories:
Firm throws down Gauntlet on Java
Sun counters Java ban down under
"Black widow" scare on the Web
Netscape posts fix for security bug
Another Java bug creeps out
Netscape preps security patch
Is the Net secure?
RealAudio coverage: CNET Radio