One problem with network-based sw is security. Sun's position is that nothing can go wrong, go wrong, go wrong, go wrong. However, CERT just announced this:
CERT(sm) Advisory CA-96.05, March 5, 1996
Topic: Java Implementations Can Allow Connections to an Arbitrary Host
The CERT Coordination Center has received reports of a vulnerability in implementations of the Java Applet Security Manager. This vulnerability is present in the Netscape Navigator 2.0 Java implementation and in Release 1.0 of the Java Developer's Kit from Sun Microsystems, Inc. These implementations do not correctly implement the policy that an applet may connect only to the host from which the applet was loaded.
The CERT Coordination Center recommends installing patches from the vendors, and using the workaround described in Section III until patches can be installed.
As we receive additional information relating to this advisory, we will place it in
ftp://info.cert.org/pub/cert_advisories/CA-96.05.README
We encourage you to check our README files regularly for updates on advisories that relate to your site.
There is a serious security problem with the Netscape Navigator 2.0 Java implementation. The vulnerability is also present in the Java Developer's Kit 1.0 from Sun Microsystems, Inc. The restriction allowing an applet to connect only to the host from which it was loaded is not properly enforced. This vulnerability, combined with the subversion of the DNS system, allows an applet to open a connection to an arbitrary host on the Internet.
In these Java implementations, the Applet Security Manager allows an applet to connect to any of the IP addresses associated with the name of the computer from which it came. This is a weaker policy than the stated policy and leads to the vulnerability described herein.
Java applets can connect to arbitrary hosts on the Internet, including those presumed to be previously inaccessible, such as hosts behind a firewall. Bugs in any TCP/IP-based network service can then be exploited. In addition, services previously thought to be secure by virtue of their location behind a firewall can be attacked.
To fix this problem, the Applet Security Manager must be more strict in deciding which hosts an applet is allowed to connect to. The Java system needs to take note of the actual IP address that the applet truly came from (getting that numerical address from the applet's packets as the applet is being loaded), and thereafter allow the applet to connect only to that same numerical address.
We urge you to obtain vendor patches as they become available. Until you can install the patches that implement the more strict applet connection restrictions, you should apply the workarounds described in each section below.
A. Netscape users
For Netscape Navigator 2.0, use the following URL to learn more about the problem and how to download and install a patch:
http://home.netscape.com/newsref/std/java_security.html
Until you install the patch, disable Java using the "Security Preferences" dialog box.
...
CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce