http://www.javasoft.com/JDK-1.0/changes.html (PC Press Internet CD, 03/1996)
Java Developers Kit
Version 1.0.1
Changes Since the Last Release
There have been two security related bug fixes since the JDK 1.0
release -- the descriptions of which are listed below. You may also
want to review changes from previous releases: changes from JDK 1.0 Beta 2 to JDK 1.0; changes
from JDK 1.0 Beta to JDK 1.0 Beta
2; changes from JDK 1.0
Pre-Beta to JDK 1.0 beta; and changes from Java Alpha 3 to JDK 1.0
Pre-Beta.
Bugs Fixed
The following bugs were fixed between JDK 1.0 and JDK 1.0.1:
- Applet SecurityManager can allow a DNS spoofing attack.
- The applet SecurityManager does a dynamic Domain Name Service
(DNS) lookup on a hostname when loading an applet. When an applet
requests a connection back to its originating host, the applet
SecurityManager again performs a dynamic DNS lookup on the hostname.
If the dynamic DNS lookup returns an IP address of some other
computer, which can happen if someone is broadcasting bad DNS data,
then the security manager allows the applet to connect to a machine it
shouldn't be allowed to connect to.
- Fix: The fix is to remember the numerical IP address for
the hostname of an applet, and from then on, only allow the applet to
connect to the exact same numerical IP address that it came from.
- Class loader can allow applets to load native code libraries.
- The class loader will load classes where the first letter of the
class name is '/' (or '\' on Microsoft Windows), bypassing the
verifier and SecurityManager. Without an associated SecurityManager,
the offending class can load native code libraries which can perform
any operation.
- Fix: Disallow loading classes where the first character of
the class name is the operating system directory separator character.
Last Updated: 06 Mar 1996
Java Developers Kit 