Security of Java

Shen, Raymond North York (rshen@nestle.ca)
Mon, 5 May 1997 14:01:07 -0400

From: rshen@nestle.ca (Shen, Raymond North York)
To: java-security@web2.javasoft.com ('java-security@java.sun.com')
Message-Id: <97May5.140745edt.29443@doorman.nestle.ca>
Date: Mon, 5 May 1997 14:01:07 -0400
Subject: Security of Java

I'm the IS Audit Manager at Nestle Canada, rshen@nestle.ca.

We have Netscape 2.01 throughout the company.
My knowledge of Web security is limited to what I read from the popular
press. It seems to me that there is a potential threat that need to be
either de-mystified or addressed.

It is possible to write Java applets that can call drivers that run
platform specific code. For example there is a module called "java.sql"
which is part of Sun's Java 1.1 which interfaces with the "outside
world". A Javascript can invoke an applet which contains the java.sql
module. It is possible to mass distribute the applet to all browsers in
the company using packages such as Marimba Castinet. In the popular
press they have identified the applet library (Netscape java_30.zip,
Explorer \windows\java\classes.zip) where anyone can add an applet,
themselves. They then need to distribute the corrsesponding platform
specific driver onto the workstation which will be called.

How much of this is true? As long as an java.sql can invoke an non-java
module, I see great risks. Are there controls?

For security purposes, I think the integrity of the applet library should
be checked. Static protection could be a crc file integrity check or a
centrally controlled version of it. I can imagine a virus that would
dynamicaly change reference to the applet library.

Can you please advise? Thank-you.

Raymond Shen