It is important to reemphasize that the attacks described in this chapter are not hypothetical; each has been implemented by either the Secure Internet Programming team (SIP) at Princeton University or other researchers. Each was successfully used to break into a machine in the laboratory. The Princeton team, who have discovered a majority of known holes, choose not to release the resulting attack applets onto the Net. Other researchers, especially consultants, tend to release their attacks.
Attack applets are the most dangerous kind of hostile applets. They do more than simply annoy or deny service. The end result of an attack applet is the same as being hacked by a cracker: Your system is wide open for unauthorized access.
According to both our research and that of the CERT Coordination Center (an organization that keeps track of computer security violations on the Internet), there have been no confirmed reports of loss due to the attacks described in this chapter. There are, however, a few cases of attacks possibly carried out with applets. It is, of course, impossible to rule out the possibility of attacks that haven't been discovered or that haven't been reported. The lack of reports indicates that the number of attacks, if any, has been small. Successfully implemented attack applets probably haven't occurred in the wild, but there can be no guarantee that one won't show up tomorrow. The danger is real enough that CERT recommends people disable Java when using particular versions of popular browsers [CERT, 1996a; CERT, 1996b].
Copyright ©1999 Gary McGraw and Edward Felten.