COMMAND

    java

SYSTEMS AFFECTED

    Netscape up to  and including Versions  2.02 and 3.0beta4  (except
    Windows 3.x)  Oracle PowerBrowser  for Win32.   HotJava 1.0  beta.
    "appletviewer"  from  Java  Development  Kit,  up to and including
    Version 1.0.2

PROBLEM

    Attacks on the class loader  allow running native code in  current
    Java  implementations.    Running  native   code  allows   machine
    specific  instructions  to  be  executed  by the delivered applet.
    This  presents  a  problem  since  an  attack  was  successful  in
    deleting files.  An exploit has been written for Appletviewer  and
    HotJava; versions  for Netscape  and Oracle  PowerBrowser are also
    possible, although more difficult.

SOLUTION

    NASIRC reiterates its recommendation to use all Internet  browsers
    with all  Java and  JavaScript features  disabled.   If the  known
    host is  a trusted  site, then  enabling Java  or JavaScript after
    the initial page is displayed  and then using the "reload"  option
    to invoke Java or JavaScript is a safer approach.  Before  leaving
    a trusted page, the Java  and JavaScript features should again  be
    disabled.