Brown Orifice is caused by two bugs in the Java implementation in Netscape. One of them allowed untrusted bytecodes to accept socket connections from places other than the originating host. The other allowed untrusted bytecodes to access files on the local filesystem.

One of these bugs originated in Sun's JVM, the other in Netscape's implementation of Java for Netscape, but the exploit had nothing to do with "people who understood the different components did not or could not see how the interaction of these various pieces could cause trouble", it was just a pair of bugs. Taken in isolation, each bug would still be an incredibly serious security hole.

This essay smacks of having an agenda, and then trying to fit the facts around it. I'm afraid the facts just don't fit at all. I mean, trying to claim that the random number generator is not an integral part of any crypto code would get you laughed out of any serious discussion, but in this essay it's just thrown away as assumed that it's somehow a 'separate component'.

As for the agenda itself -- while true in the general case, security bugs are one of the biggest exceptions to "Given enough eyeballs, all bugs are shallow." Linux has far more eyeballs than OpenBSD, so therefore Linux must be more secure, right? The BrownOrifice bug was particularly subtle - it would have only been found by either someone doing a professional, rigorous security audit, or someone very smart and malicious combing over the code looking for exploits. Sun's Java source has been available for five years under the SCSL. It's been examined and re-implemented by a huge number of developers, but it took all this time for it to be uncovered.

Finally, Netscape 6.0's (i.e. Mozilla's) Java implementation is no magic bullet. It runs Java by providing a plug-in architecture for JVMs, which means you still take one vendor's Java implementation, and plug it into another vendor's browser.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/80/3330#3330