Many of the famous Java security problems are in some sense "just bugs" and everything in society has bugs from car safety through conventional policing
-
Again Java bugs are more worrisome because they are potentially so widespread
|
|
Currently Java is restricted to establishing a network connection to site you downloaded it from. This assumes you trust site and wouldn't connect to iwanttodestroy.yoursystem.org.
|
So in a Netscape2.0 bug, it was possible to set up applet so that it could connect to an arbitary site
-
Bug involved a malicious DNS server returning a set of IP addresses including allowed and disallowed ones. Netscape2.0 allowed one to connect to disallowed address
-
Now we have established a connection which could break through a firewall and in principle do arbitary damage/breach of confidentiality
|
|
Netscape2.01 corrected bug by only allowing connection to original IP address
|
