Page 304 - StudyBook.pdf
P. 304
288 Chapter 5 • Communication Security: Web Based Services
applets cannot do any serious damage to system data, or do very much snooping.
However, if you think there aren’t any bugs in Java, you’d be wrong. Sun’s Java Web
site provides several methods of viewing the bugs that have been found, including a
chronology of security-related issues and bugs at www.java.sun.com/security/
chronology.html.This list only provides known bugs and issues until November 19,
2002, so you’ll have to use the link for Sun Alert Notifications on this page to have
the search engine list all the ones after this date.They also provide an online
database of bugs at www.bugs.sun.com.Although this may not give one an over-
whelming sense of security, you need to realize that as bugs and security issues
become known, patches and upgrades are released to solve the problem. Even
though such bugs are mostly killed off after being discovered, there are still some
malicious things that can be done.
A common problem with badly written applets is that they are capable of cre-
ating threads that run constantly in the background.A thread is a block of code that
can execute simultaneously with other blocks of code. Even after the user closes
the e-mail or one browser window and moves on, the threads can keep running.
This can be annoying, depending on what the thread is doing. Some annoying
threads just play sounds repeatedly, and closing the offending piece of e-mail will
not stop it.The only way to kill a rogue thread is to completely close all your
browser windows or exit your e-mail program.Applets also exist that, either inten-
tionally or through bad programming, will use a lot of memory and CPU power.
Usually, they do this by creating many threads that all do some sort of computation
or employ a memory leak. If they use too much, they can slow a system or even
crash it.This type of applet is very easy to write, and very effective at shutting
down a system.
As we have learned, an applet may not contact other servers on the Internet
except for the server on which the applet originated. If you send out spam mail,
you could use an applet to verify that the recipient’s e-mail address is still active.As
soon as the recipient opens the e-mail, the applet can contact its own originating
server on the Internet and report that he or she has read the e-mail. It can even
report the time it was opened, and possibly how long the recipient read it.This is
not directly damaging to a system, but it’s an invasion of privacy.
The only pieces of information an applet can obtain are the user’s locale (the
country setting for the OS), the size of the applet, and the IP address information.
The security model for applets is quite well done, and generally, there is no serious
damage that can be caused by an applet, as long as the user retains default settings
for Internet security.There is not much a user can do to prevent minor attacks.The
first thing security-conscious users would want to do is use the latest versions of
www.syngress.com
