Linked by David Adams on Tue 12th Jul 2011 19:08 UTC, submitted by HAL2001
Privacy, Security, Encryption ACROS Security has discovered a vulnerability in Sun Java, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application loading an executable file in an insecure manner when an out of memory condition occurs.
Thread beginning with comment 480739
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: Nice
by JAlexoid on Wed 13th Jul 2011 14:50 UTC in reply to "RE[4]: Nice"
Member since:

May I try ?

And fail to single out Java?

Java is an interpreter, and current OS security models are not designed to explicitly support interpreters. For the OS, an interpreter is just a black box executing arbitrary code from the wild.

So is any .EXE file. What's your point? Java does not get a free ride as far as the OS is concerned...

What this means in turn is that Java may only run code as privileged as the Java interpreter is. So the Java interpreter must run with privileges that are as high as possible. No true OS-level sandboxing is possible.

Well... Duh! It's privileges are the same as the user that started the process. In fact, Java doesn't even have process user changing functionality built in. You can run Java in whatever sandbox you may wish. In addition, you may enable Java's security features.

Which means that the JRE is a huge mass of code (basically reinventing the system API for the sake of portability) running in a highly permissive security environment, without DEP/NX protection. As lots of code is statistically synonymous of lots of bugs/exploits, this is a disaster waiting to happen.

Which environment are you talking about? Desktop apps, that are even worse when it comes to security? Applets, that are probably more secure than the browser they run in in most cases(see number of IE users)

Reply Parent Score: 2