Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Java Trojans — what about them?

Rob Rosenberger, Vmyths co-founder
Saturday, 31 August 1996 COMPUTER MAGAZINES AND the mainstream media paint a gloomy picture about Java Trojans. Yet the antivirus community seems pretty bored by comparison. Granted, some experts raise an eyebrow whenever you mention viruses on the Internet ... but many of them yawn when asked about Java. "To the best of my knowledge there is (as of 2 June 1996) no Java Trojan" running rampant on the Internet, said Virus Bulletin editor Ian Whalley. "The mass market press have just finally realized what [the antivirus community] realized as soon as we heard of Java -- that what you're doing is running someone else's code on your machine."
Stop the press!
More problems
A PC/Computing story about "poison Java" included this ironic tidbit: "A number of rogue applets are committing crimes ranging from the annoying... to the fatal... Don't believe us? You'll find a grisly collection at www.math.gatech.edu/ ~mladue/ HostileApplets.html."
Even if someone creates a Java Trojan, how would they cause damage with it? Java-enabled operating systems will arrive someday — but right now a malicious person must install it on a website so Java-aware browsers can execute it. Internet providers fear a lawsuit if one of their customers trashes somebody else's computer with a Java Trojan. You can expect Internet providers to terminate 'actively malicious' websites with all due haste. They won't risk getting sued for monetary damages. The antivirus community knows this. Wolfgang Stiller, author of Integrity Master, doesn't seem too worried: "You can scan for [Java Trojans] but this is rather silly since they don't spread on their own and, by the time a scanner is updated [to detect it], the threat [will have] vanished."
AND LET'S FACE it: Java Trojans represent nothing new. Its roots go back to the days when people put ANSI bombs in a .ZIP file banner. Web browsers present themselves as just the latest twist on an old concept. The collective yawn about Java Trojans highlights an unprecedented event — many antivirus firms have taken a back seat on the issue. They'd rather let the web browser folks (and, later, the operating systems folks) tackle it. Ross Greenberg, author of Flu_Shot Plus and Virex for the PC, says "the official language definition for Java leaves no room or ability for Java apps to be Trojans. The actual implementation, well, that's a different story, with NetScape Version'du'jour as one 'whoops!' is filled after another." Ian Whalley echoes the same sentiment: "As far as I know, you cannot do viral things with Java. However, thus far it is the implementations which have been found to be buggy.... It is ... the job of Sun [Microsystems] and (predominantly) NetScape to react quickly to problems as they arise." In other words, customers shouldn't expect antivirus firms to spackle the security holes created by Java-enabled software.

Concerns about "Java scanners"

BEWARE THE HYPE right now if any antivirus company claims to offer a Java-specific scanner. Symantec recently announced one, for example. Its very existence raises serious questions:
  1. How can you conceptualize a Java scanner if, as Greenberg claims, 'official Java' doesn't allow for viruses?
  2. How can you build a supposedly viable product when the Java industry itself hasn't gotten its act together?
  3. How can you test such a product if no Java viruses currently exist? (Symantac ironically acknowledges it in their press release: "While no current Java virus threats exist, ....")

[presumed first edition,
published ca. August 1996]