Arthur T. wrote:
I'm not an expert, so I let Google do the work. Some of the
exploits are old, but they do or did exist. Here's just a sample:
As you may of noticed - most of the security issues are 'implementation'
issues - not design issues..
Now, the same goes for "Real Language" Java :
Chronology of security-related bugs and issues
Through its own research and rigorous testing, Sun has discovered a
potential security issue in the Java Runtime Environment that affects
both Java ...
java.sun.com/sfaq/chronology.html - 39k - Cached - Similar pages
Attack Applets: Exploiting Holes in the Security Model (Chapter ...
In terms of Java, the penetrate-and-patch machine is smoothly oiled (not
that it represents the best approach to security, but that's another
issue). ...
www.securingjava.com/chapter-five/ - 11k - Cached - Similar pages
Internet Explorer vulnerable to Java security problem - CNET News.com
A new weakness has been discovered in Microsoft's version of the Java
technology, one that allows a malicious Java program launched over the
Internet to ...
www.news.com/2100-1001-231428.html - 58k - Cached - Similar pages
****************
And I'm sure it's also true for some browsers even when rendering pure
HTML.. Either by using especially doctored HTML documents to permeate a
vulnerable MSHTML/Trident or Gecko HTML layout engines.
MySpace Hacked Using Simple HTML Exploit - Alicia Keys and Others ...
The malicious site however does target IE specifically. So in that sense
T is right on the money. T: The exploit isn't using a script. It's basic
HTML and ...
www.centernetworks.com/myspace-hacked - 49k - Cached - Similar pages
Fix for URL Spoofing Security Vulnerability Checked in to Mozilla ...
In HTML mail, *everyone* has javascript disabled. ... Reply to this
message. I would simply open a new window, without a statusbar, and scam
on :-) ...
www.mozillazine.org/talkback.html?article=4149 - 27k - Cached - Similar
pages
****************
And about the <OBJECT> tag that allows you to include & instantiate 3rd
party objects (Word, PDF, Flash anyone ?) - all this with Javascript
disabled..
****************
I could also go with the security issues that came up in various
"server" protocols (ssh comes to mind).. or even non-network oriented
stuff (VM/SP (up to VM/SP 4 at least) VMUTIL had a cool trick to get you
class ABCDEFG and getting the CP Directory with all passwords in a
matter of minutes).
Finally, I would also like to state that driving, crossing the street,
eating, breathing and living altogether are inherently dangerous
activities that can lead to extreme cases of death (actually, living is
a known cause of certain death).
Ok.. I'm getting rhetorical.. But what I want to put out is that taking
prophylactic measures is fine - until it prevents you from achieving
your goal.
And disabling javascript today makes a lot of web sites unusable..
Well.. your choice !
--Ivan
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html