Securing Java

Previous Page
Previous Page
Malicious Applets: Avoiding a Common Nuisance
CHAPTER SECTIONS: 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9

Section 8 -- Malicious Applets on the Web

Next Page
Next Page

The most extensive collection of malicious applets can be found on Mark LaDue's Hostile Applets Home Page. LaDue does not follow our naming convention, which separates attack applets from malicious applets. But in any case, all of the applets that LaDue has created are malicious applets. In July 1998, a group of LaDue's newer malicious applets, those that allow creation of a ClassLoader in Netscape 4.04 and 4.05, were leveraged to create an attack applet. LaDue's ClassLoader subclassing when combined with the discovery of a ClassLoader bug by the Princeton team (see Chapter 5) made possible a real attack.

LaDue's malicious applets perform the following hostile activities:

  • Play a sound file forever (our NoisyApplet is adapted from this one).
  • Kill a browser with a CPU-hogging attack.
  • Consume all available memory on your machine.
  • Spin endless threads to consume resources.
  • Display many hundreds of large black windows.
  • Combine many denial-of-service attacks (windows, threads, and sounds) into one payload.
  • Pop a fake dialog box requesting sensitive information (username and password).
  • Surreptitiously perform remote calculation and report results back to the server.
  • Forge mail.
  • Kill all applet threads (except for self).
  • Send your browser to a URL over and over again.
  • Obtain your username.
  • Fill all disk space available to the browser.
  • Create an AppletClassLoader (a good staging ground for more serious attacks).
  • Exercise mystery methods (undocumented but available) that crash a browser.
  • Misuse native methods through the Java API, resulting in a crash.
  • Deny legitimate use of the audio system by retaining control over it.
  • Steal information about the SystemPrincipal and create an impostor.
  • Determine exactly which plugins a browser has with help from JavaScript.
  • Steal information from a Java Wallet (including username and password).
  • Carry out some social engineering in order to rewire the Help button of the Java Wallet.
  • Cause a modem connected to an arbitrary serial port to dial.
The most interesting feature of LaDue's malicious applets is that source code is made available. LaDue is clearly no proponent of keeping secrets!

No other author of malicious applets has been as prolific as LaDue, but notable among available malicious applets are:

  • An extremely simple recursive applet that pops the stack and crashes the VM (Naval Postgraduate School)
  • A mail forger and a file scanner written by Jim Buzbee
  • An applet that abuses the redirect capability written by Ben Messander
Links to known malicious applets on the Web are maintained on the Java Security Hotlist.

Previous Page
Previous Page

The Web

Next Page
Next Page

Menu Map -- Text links below

Chapter... Preface -- 1 -- 2 -- 3 -- 4 -- 5 -- 6 -- 7 -- 8 -- 9 -- A -- B -- C -- Refs
Front -- Contents -- Help

Copyright ©1999 Gary McGraw and Edward Felten.
All rights reserved.
Published by John Wiley & Sons, Inc.