From owner-freebsd-questions Fri Jun 28 11:29:56 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA20062 for questions-outgoing; Fri, 28 Jun 1996 11:29:56 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA20054 for ; Fri, 28 Jun 1996 11:29:54 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id LAA08210; Fri, 28 Jun 1996 11:27:31 -0700 From: Terry Lambert Message-Id: <199606281827.LAA08210@phaeton.artisoft.com> Subject: Re: java script and security violation message To: kuku@gilberto.physik.rwth-aachen.de (Christoph P. Kukulies) Date: Fri, 28 Jun 1996 11:27:31 -0700 (MST) Cc: freebsd-questions@freefall.freebsd.org In-Reply-To: <199606281105.NAA18849@gilberto.physik.rwth-aachen.de> from "Christoph P. Kukulies" at Jun 28, 96 01:05:48 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Yesterday I browsed some web sites in Germany from my home machine > (2.2-current) using netscape (not sure whether it was 2.0 or 3.0b4). > > Anyway I got an alert box several times saying something of > security violation in Java script line xxx. > > It looked a bit like I had to be concerned about it. What does it mean? > Is it a security issue? BTW, I was root while doing this - maybe not > a good idea to run netscape while being root anyway. There are several well known holes in JAVA. One of them uses a two system user environment attack: it takes advantage of known variables in shared scoping to hack you. This is the kind of bug that was fixed in Netscape 3.0b3 and 3.0b4 (at the same time, these "sparse space" IPC facilities were what enabled the JDK to operate, so unless you run 3.0b2, you can't run the JDK). Search Yahoo for "JAVA security". There are several "crack demonstration pages" you can play with. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.