User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312 There should be an option in the UI to disable JavaApplets in html emails. By default it should be enabled, but warn before loading java applets (similar to a cookie warning. This is a potential security issue if an applet can load automatically by email. Imagine a virus that uses a JavaApplet? Reproducible: Always Steps to Reproduce:
Edit\Preferences\Advanced\Scripts&Plugins/[ ] Enable Plugins for Mailnews Do you mean this ?
But Java is a big hole. Flash is actually pretty cool. Same with quicktime, realplayer, or an plugin to process an image. That's what makes html mail great, are those abilities. Flash, and Quicktime aren't security problems (that we know of). But an applet sent by email has potential.
from the security view : Flash had many big security holes in the past and macromedia released new versions in the last 2 months to fix this but there could be more security holes. If you are unsure about Java you should disable it (that will also disable Java in Mailnews) : edit\prefer..\Advanced\Enable Java -> Security (see also bug 93455)
Assignee: sspitzer → mstoltz
Severity: normal → enhancement
Component: Mail Window Front End → Security: General
QA Contact: esther → junruh
Granted Flash has had security holes in the past. Java by definition can be insecure. And that's not bad programming that causes it. it's misuse.
Disabling the "Enable Plugins for Mailnews" option should also disable java. Robert, does this work for you?
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Mitchell: The point is that he wants active Java in the browser and disabled Java in mailnews.
Yes it does work, but doesn't meet my needs (and I'm sure the needs of others). Flash, and such in Email is fine. I don't mind it at all. Java is inherently a danger (though it can be good). If a user browses to a site, they take that risk. But by email (in particular spam or a virus), it can be very accidental. Java really doesn't have a place in email. I respect the right to have it in there, but it should be disabled by default (or at least warn before loading the applet). What would happen if someone created a milicous applet and spread it with a virus?
I disagree that Java is "inherently" less secure than Flash: both download and run a form of active content, both provide a "sandbox" of limited privileges for that content to run in, and both have experienced breaches in that sandbox. It's my impression that Flash has had the worse track record of late. We already have an option to disable all plugins in MailNews, including Java. It sounds lile you're asking for an option to specifically disable Java while leaving all other plugins enabled. Do you receive Flash in email messages so often that re-enabling plugins while viewing a particular message becomes impractical? I appreciate your concern, but I worry about feature creep in prefs. Do you have data showing that Java is more prone to security problems than the other plugins you mentioned? That could help us reach a decision on this issue.
My problem stems from the fact that someone can quite easily create a milicous applet. It's not impossible to create an applet that could contribute to a distributed DOS attack, or other attack. A JavaApplet in email just seems like an inherent problem. It's architecture is a bit more robust as far as it's capabilities go. How many legitimately need to run applets from within mail/news? I can't think of one legitimate case. Flash inherently has a legitimate purpose in email. Used by various mailing lists, as it can carry the same animation in a much smaller file size. Same with other plugins. There are various media formats, that need a plugin, and it's no problem. At the very least, a warning before loading JavaApplets would be nice. Something like those "Warning before submitting insecure forum" warnings... that you can deny or allow it, and there would be a checkbox, to always allow without asking. My concern is a spam email I got with a java applet. Before I knew it, it was loaded. I didn't even realize until it was to late. It appeared to be a Ticker style animation thing... but there was a jump in network usage when I looked Sygate Personal Firewall's graph of network usage... I still don't know what else it may have been doing. My concern really is from having an unnecessary vulnerability in the client on by default.
Applets can only connect to the host they're loaded from; a malicious applet writer could only DDOS himself. I'm just not convinced that Java is easier to abuse, or less "legitimate" in a message than other types of plugin content. I can think of lots of "legitimate" non-malicious uses for Java in email. I agree with you that plugins in mail can sometimes be used to do bad things; that's why we have them disabled by default. I just don't see why we need to single out Java. Again, some data on the relative vulnerability of these plugins would be useful.
FYI: http://www.idefense.com/advisory/03.31.03.txt http://service.real.com/help/faq/security/securityupdate_march2003.html (QT and realplayer security holes)
Since I haven't seen any convincing evidence that Java is less secure than Flash in general usage, I think the general "disable plugins" pref which already exists is sufficient. I'm marking this wontfix.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → WONTFIX
*** Bug 244431 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.