An Early Netscape DNS Bug
Many of the famous Java security problems are in some sense “just bugs” and everything in society has bugs from car safety through conventional policing
- Again Java bugs are more worrisome because they are potentially so widespread
Currently Java is restricted to establishing a network connection to site you downloaded it from. This assumes you trust site and wouldn’t connect to iwanttodestroy.yoursystem.org.
So in a Netscape2.0 bug, it was possible to set up applet so that it could connect to an arbitary site
- Bug involved a malicious DNS server returning a set of IP addresses including allowed and disallowed ones. Netscape2.0 allowed one to connect to disallowed address
- Now we have established a connection which could break through a firewall and in principle do arbitary damage/breach of confidentiality
Netscape2.01 corrected bug by only allowing connection to original IP address