DNS Spoofing and Java(tm)


March 5 - Netscape is making available a patched version of the Java classes used in Netscape Navigator 2.0.

The JavaSoft patch for the JDK will be available shortly, at which time an announcement will be made to the java-interest@java.sun.com mailing list and posted on our What's New page.


February 22 - USA Today reported today the work of a Princeton professor and two Princeton graduate students who claim Netscape's Navigator 2.0 allows a Java applet to be manipulated in a way that breaches network security on a system running the applet.

The claim is that the Java applet could be created to "spoof" an IP address and thereby enter unprotected areas of a network.

"Internet spoofing is a problem that precedes Java and has no direct correlation to Java or Java applets", says Marianne Mueller, a JavaSoft security expert.

"The possibility of using Java applets in the manner described by the Princeton students requires an extremely remote set of circumstances, including the ability of the attacker to know names of machines within a secure network, the ability to attract a user on that network to visit his/her site, and the ability to attract the user to run an applet that would have been created to conduct the spoofing.

Even though the combination of these sets of circumstances is very remote, all possible network security breaches are considered serious and we thank the students at Princeton for raising the awareness level on this issue."

Sun and Netscape will issue a patch which will restrict Java applets in a manner that will eliminate the possibility of this spoofing scenario from occurring.


Frequently Asked Questions - Applet Security


Copyright © 1996 Sun Microsystems, Inc., 2550 Garcia Ave., Mtn. View, CA 94043-1100 USA. All rights reserved.

Contact the Java developer community via the newsgroup comp.lang.java
or JavaSoft technical support via email to java@java.sun.com.

Send questions or comments about this web site to
webmaster@java.sun.com.

 Java