[NPL] [Alert] Lasso Java Security Issue
IMPORTANT SECURITY ALERT
Attention All Lasso Customers,
September 4, 1998
A security hole was discovered and reported to Blue World Communications,
Inc. this afternoon. The security hole exposes a security problem which
allows any Lasso 2.x served database information to be available as "read
only" via Java-based communication. A Lasso customer was able to view
fields and data not intended for viewing in a Lasso-powered FileMaker
database using Symantec's Visual Cafe for Java Database Edition.
Immediately upon receipt of the report, Blue World engineers confirmed the
problem and began working on a fix. Available within hours of the report, a
security patch is now available at
http://www.blueworld.com/blueworld/download/.
All Lasso 2.x customers are advised to install the patch immediately,
regardless of whether or not they have deployed Java-enabled databases.
Lasso 2.5.1 customers are advised to install the patch and optionally
install the new Java Enabler module for more secure Java-based
communication. Lasso 2.5.1 customers are also advised to check their Lasso
security database settings to ensure that fields not meant to be viewed via
the Web are set with the "Dont Show" privilege. The security patch updates
Lasso 2.5.1 to Lasso 2.5.1a.
Lasso 2.0.3 customers are advised to install the security patch which
disables Java communication or upgrade to Lasso 2.5.1 and install the above
mentioned Lasso 2.5.1a patch for more secure Java communication. The
security patch updates Lasso 2.0.3 to Lasso 2.0.3a.
The security hole allowed only data to be viewed and not edited. To protect
Lasso-powered sites while they are updated with the security patch,
specific details regarding the routines used to view fields not intended
for viewing are not available. Information regarding potential security
issues with other products based on Lasso technology--including the recent
Beta Release 1 of the Lasso 3 product line--is also not available at this
time.
Symantec has been notified of the Lasso security issue and is in the
process of notifying Symantec Visual Cafe for Java Database Edition
registered customers.
Blue World would like to publicly acknowledge and thank Mike Stahulak and
Dave Johnson of Red Rock Software, Inc. for discovering and reporting the
problem.
Sincerely,
Bill Doerrfeld
President & CEO
Blue World Communications, Inc.