Antonio M. Moreiras wrote:
I am also not so sure how a Java applet could possibly check whether NTPD is
installed on the local computer (where the browser runs). I have written a few
Java applets myself. It's been a while, but as far as I remember, Java applets
are /not/ normally allowed to contact network sockets on the browser's local
computer.
Yes, they are allowed to open sockets, TCP or UDP, but the applet must
be digitally signed to be able to do that. It's because of this capacity
that some "speed test" websites use java applets (search, for example,
for the US FCC broadband speed test).
The ntp.br applet don't use sockets. It runs a local command, and yes,
signed Java applets can also do that.
The big problem with that is that this whole concept of "signed applet" has
zero value.
There is no auditing of the app whatsoever, everyone with a certificate can
sign his
app and certificates are a dime a dozen.
I would for sure never run a signed java app on my system, especially not when
it
comes from a country with a shady reputation like Brazil.
(although that of course is a prejudice)
And added to that, one after the other vulnerability is found in the Java
sandbox concept
that allows apps that are not signed to break out of the sandbox and execute
system
commands under the current user anyway. This makes the risks of Java security
incidents even bigger.
In fact, at work last month I blocked all java apps in the proxy/firewall, and
instituted
a whitelist of allowed apps. It now has 1 entry.
Before changing that setup there were several users that hit malicious Java
code that fortunately did not achieve it goals (installing rootkit on the
system) because
of other security settings. But I am not going to wait until they combine a
Java exploit
with a privilege escalation exploit!
The use of java for apps in the browser for generic internet pages has almost
completely
died out, and the recent security mishaps don't help either.
Rob
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
