Basic HTML version of Foils prepared April 7 1998

Foil 14 An Early Netscape DNS Bug

From Basic Principles of Java and Internet Security CPS616 Web Technologies -- Spring 98. by Geoffrey C. Fox


Many of the famous Java security problems are in some sense "just bugs" and everything in society has bugs from car safety through conventional policing
  • Again Java bugs are more worrisome because they are potentially so widespread
Currently Java is restricted to establishing a network connection to site you downloaded it from. This assumes you trust site and wouldn't connect to iwanttodestroy.yoursystem.org.
So in a Netscape2.0 bug, it was possible to set up applet so that it could connect to an arbitary site
  • Bug involved a malicious DNS server returning a set of IP addresses including allowed and disallowed ones. Netscape2.0 allowed one to connect to disallowed address
  • Now we have established a connection which could break through a firewall and in principle do arbitary damage/breach of confidentiality
Netscape2.01 corrected bug by only allowing connection to original IP address



© Northeast Parallel Architectures Center, Syracuse University, npac@npac.syr.edu

If you have any comments about this server, send e-mail to webmaster@npac.syr.edu.

Page produced by wwwfoil on Sun Nov 29 1998