Java and Shockwave Security

Java and Shockwave Security — Although mainstream media has been saturated recently with news of security issues in the Windows version of Microsoft Internet Explorer, a different security problem in Sun’s Java received comparatively little attention. Basically, it’s possible for a Java applet to disable security safeguards and grant itself full access to the local machine. It’s important to note the problem is very difficult to exploit, but theoretically affects anyone licensing Java technology from Sun. Microsoft has released a 500K update to its Java implementations for the Mac version of Internet Explorer; Netscape 3.0 doesn’t use Sun’s Java, and isn’t impacted.

<http://www.microsoft.com/ie/security/java.htm>

<http://www.javasoft.com/sfaq/index.html>

Another, more easily exploited security problem involves Macromedia’s Shockwave Director plug-in in conjunction with Web browsers (particularly Netscape Navigator). Essentially, it’s possible to author a Shockwave Director movie that can clandestinely read email or files on a user’s machine, along with documents residing on other Internet servers, even behind a corporate firewall. The relative simplicity of this particular oversight highlights the possibility other simple loopholes in a variety of products. A pre-release of Streaming Shockwave 6 reportedly does not exhibit these problems, but otherwise the only way to make sure you’re not vulnerable is to de-install Shockwave. [GD]

<http://www.webcomics.com/shockwave/>

<http://www.macromedia.com/shockwave/download/ plugin.cgi>