Unlike the technically adept attacks to be revealed in Chapter 5, these malicious applets are very easy to write. There are malicious applets that play background sounds endlessly. There are malicious applets that consume system resources, implementing denial-of-service attacks. There are applets that forge electronic mail. There are even applets that kill other applets' threads.
Now that techniques are widely available on the Hostile Applets Home Page (among other places), it is only a matter of time before malicious applets spread. Because malicious applet source code has been put on the Web, hundreds of people can start to use and adapt the ideas. We have been lucky that this has not happened yet. Perhaps we will continue to be lucky, or perhaps not.
As we have seen, an applet need not break into your machine in order to do malicious things. Sometimes it is good enough to steal CPU cycles, or deny access to other sites. Malicious applets come in all shapes and sizes. Defending against all of the possibilities is at best a daunting task.
Malicious applets may even play a role in undermining business on the Net. Recall the Business Assassin applet that targets Gamelan. Other anti-business applets might send forged mail with thousands of seemingly legitimate orders (resulting in thousands of expensive returns). Another malicious applet could spam the Net with ads supposedly from you, should you be from the site of a competitor. This could effectively cut your business off the Net when people respond with mail bombs. It does not take too much foresight to fear the implications that these applets have for Net commerce.
At least for the moment, malicious applets are not widespread; however, it is only a matter of time before they are. Now is the time to look into ways to defend ourselves against them. Sun Microsystems agrees: "We recognize the importance of providing people with some mechanism to help them deal with hostile applets." Java 2 introduces mechanisms that can be used to help address the problem.
Copyright ©1999 Gary McGraw and Edward Felten.