From owner-freebsd-questions  Sat Jun 29 01:06:42 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA15881
          for questions-outgoing; Sat, 29 Jun 1996 01:06:42 -0700 (PDT)
Received: from Campino.Informatik.RWTH-Aachen.DE (campino.Informatik.RWTH-Aachen.DE [137.226.225.2])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA15836
          for <freebsd-questions@freefall.freebsd.org>; Sat, 29 Jun 1996 01:05:15 -0700 (PDT)
Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.31.2]) by Campino.Informatik.RWTH-Aachen.DE (RBI-Z-5/8.6.12)
	with ESMTP id KAA08323; Sat, 29 Jun 1996 10:01:24 +0200
Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.6.11/8.6.9) id KAA22326; Sat, 29 Jun 1996 10:13:47 +0200
From: "Christoph P. Kukulies" <kuku@gilberto.physik.rwth-aachen.de>
Message-Id: <199606290813.KAA22326@gilberto.physik.rwth-aachen.de>
Subject: Re: java script and security violation message
To: terry@lambert.org (Terry Lambert)
Date: Sat, 29 Jun 1996 10:13:46 +0200 (MET DST)
Cc: kuku@gilberto.physik.rwth-aachen.de,
        freebsd-questions@freefall.freebsd.org
In-Reply-To: <199606281827.LAA08210@phaeton.artisoft.com> from Terry Lambert at "Jun 28, 96 11:27:31 am"
Reply-To: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>
X-Mailer: ELM [version 2.4ME+ PL16 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> > Yesterday I browsed some web sites in Germany from my home machine
> > (2.2-current) using netscape (not sure whether it was 2.0 or 3.0b4).
> > 
> > Anyway I got an alert box several times saying something of
> > security violation in Java script line xxx.
> > 
> > It looked a bit like I had to be concerned about it. What does it mean?
> > Is it a security issue? BTW, I was root while doing this - maybe not 
> > a good idea to run netscape while being root anyway.
> 
> There are several well known holes in JAVA.  One of them uses a two
> system user environment attack: it takes advantage of known variables
> in shared scoping to hack you.
> 
> This is the kind of bug that was fixed in Netscape 3.0b3 and 3.0b4
> (at the same time, these "sparse space" IPC facilities were what
> enabled the JDK to operate, so unless you run 3.0b2, you can't run
> the JDK).

I checked once again, it was 3.0b4 I was using.

> 
> Search Yahoo for "JAVA security".  There are several "crack demonstration
> pages" you can play with.
> 
> 
> 					Terry Lambert
> 					terry@lambert.org
> ---
> Any opinions in this posting are my own and not those of my present
> or previous employers.
> 

--Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de