There should be an option to disable Java Applets in Email

RESOLVED WONTFIX

Status

MailNews Core
Security
--
enhancement
RESOLVED WONTFIX
16 years ago
10 years ago

People

(Reporter: raccettura, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

16 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312

There should be an option in the UI to disable JavaApplets in html emails.  By
default it should be enabled, but warn before loading java applets (similar to a
cookie warning.

This is a potential security issue if an applet can load automatically by email.
 Imagine a virus that uses a JavaApplet?

Reproducible: Always

Steps to Reproduce:
Edit\Preferences\Advanced\Scripts&Plugins/[ ] Enable Plugins for Mailnews 
Do you mean this ?
(Reporter)

Comment 2

16 years ago
But Java is a big hole.

Flash is actually pretty cool.  Same with quicktime, realplayer, or an plugin to
process an image.  

That's what makes html mail great, are those abilities.

Flash, and Quicktime aren't security problems (that we know of).

But an applet sent by email has potential.
from the security view : Flash had many big security holes in the past and
macromedia released new versions in the last 2 months to fix this but there
could be more security holes.

If you are unsure about Java you should disable it (that will also disable Java in 
Mailnews) : edit\prefer..\Advanced\[]Enable Java

-> Security (see also bug 93455)
Assignee: sspitzer → mstoltz
Severity: normal → enhancement
Component: Mail Window Front End → Security: General
QA Contact: esther → junruh
(Reporter)

Comment 4

16 years ago
Granted Flash has had security holes in the past.  Java by definition can be
insecure.  And that's not bad programming that causes it.  it's misuse.

Updated

16 years ago
QA Contact: junruh → dsirnapalli
(Assignee)

Comment 5

16 years ago
Disabling the "Enable Plugins for Mailnews" option should also disable java.
Robert, does this work for you?
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Mitchell: 
The point is that he wants active Java in the browser and disabled Java in mailnews.
(Reporter)

Comment 7

16 years ago
Yes it does work, but doesn't meet my needs (and I'm sure the needs of others).

Flash, and such in Email is fine.  I don't mind it at all.

Java is inherently a danger (though it can be good).  If a user browses to a
site, they take that risk.  But by email (in particular spam or a virus), it can
be very accidental.

Java really doesn't have a place in email.  I respect the right to have it in
there, but it should be disabled by default (or at least warn before loading the
applet).  

What would happen if someone created a milicous applet and spread it with a virus?  

(Assignee)

Comment 8

16 years ago
I disagree that Java is "inherently" less secure than Flash: both download and
run a form of active content, both provide a "sandbox" of limited privileges for
that content to run in, and both have experienced breaches in that sandbox. It's
my impression that Flash has had the worse track record of late. 

We already have an option to disable all plugins in MailNews, including Java. It
sounds lile you're asking for an option to specifically disable Java while
leaving all other plugins enabled. Do you receive Flash in email messages so
often that re-enabling plugins while viewing a particular message becomes
impractical?

I appreciate your concern, but I worry about feature creep in prefs. Do you have
data showing that Java is more prone to security problems than the other plugins
you mentioned? That could help us reach a decision on this issue.
(Reporter)

Comment 9

16 years ago
My problem stems from the fact that someone can quite easily create a milicous
applet.  It's not impossible to create an applet that could contribute to a
distributed DOS attack, or other attack.  A JavaApplet in email just seems like
an inherent problem.  It's architecture is a bit more robust as far as it's
capabilities go.  How many legitimately need to run applets from within
mail/news?  I can't think of one legitimate case.

Flash inherently has a legitimate purpose in email.  Used by various mailing
lists, as it can carry the same animation in a much smaller file size.  Same
with other plugins.  There are various media formats, that need a plugin, and
it's no problem.

At the very least, a warning before loading JavaApplets would be nice. 
Something like those "Warning before submitting insecure forum" warnings... that
you can deny or allow it, and there would be a checkbox, to always allow without
asking.

My concern is a spam email I got with a java applet.  Before I knew it, it was
loaded.  I didn't even realize until it was to late.  It appeared to be a Ticker
style animation thing... but there was a jump in network usage when I looked
Sygate Personal Firewall's graph of network usage... I still don't know what
else it may have been doing.

My concern really is from having an unnecessary vulnerability in the client on
by default.
(Assignee)

Comment 10

16 years ago
Applets can only connect to the host they're loaded from; a malicious applet
writer could only DDOS himself. I'm just not convinced that Java is easier to
abuse, or less "legitimate" in a message than other types of plugin content. I
can think of lots of "legitimate" non-malicious uses for Java in email.

I agree with you that plugins in mail can sometimes be used to do bad things;
that's why we have them disabled by default. I just don't see why we need to
single out Java. Again, some data on the relative vulnerability of these plugins
would be useful.
(Assignee)

Comment 12

15 years ago
Since I haven't seen any convincing evidence that Java is less secure than Flash
in general usage, I think the general "disable plugins" pref which already
exists is sufficient. I'm marking this wontfix.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → WONTFIX

Comment 13

14 years ago
*** Bug 244431 has been marked as a duplicate of this bug. ***
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.