Basic HTML version of Foils prepared April 7 1998

Foil 14 An Early Netscape DNS Bug

From Basic Principles of Java and Internet Security CPS616 Web Technologies -- Spring 98. by Geoffrey C. Fox


1 Many of the famous Java security problems are in some sense "just bugs" and everything in society has bugs from car safety through conventional policing
  • Again Java bugs are more worrisome because they are potentially so widespread
2 Currently Java is restricted to establishing a network connection to site you downloaded it from. This assumes you trust site and wouldn't connect to iwanttodestroy.yoursystem.org.
3 So in a Netscape2.0 bug, it was possible to set up applet so that it could connect to an arbitary site
  • Bug involved a malicious DNS server returning a set of IP addresses including allowed and disallowed ones. Netscape2.0 allowed one to connect to disallowed address
  • Now we have established a connection which could break through a firewall and in principle do arbitary damage/breach of confidentiality
4 Netscape2.01 corrected bug by only allowing connection to original IP address

in Table To:


© Northeast Parallel Architectures Center, Syracuse University, npac@npac.syr.edu

If you have any comments about this server, send e-mail to webmaster@npac.syr.edu.

Page produced by wwwfoil on Mon Apr 6 1998