Linked by Thom Holwerda on Wed 10th Oct 2012 23:47 UTC, submitted by MOS6510
Java "Java is a programming language that allows developers to write once and deploy everywhere - from high-end gaming desktops to smartphones. Its OS-agnostic and widespread nature is one of its strongest selling points, but one area where it can fall flat is performance. Generally, Java applications are not going to perform as well as native applications written for a specific OS. However, thanks to Project Sumatra that performance gap may soon become less of an issue."
Thread beginning with comment 538356
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: Security
by JAlexoid on Thu 11th Oct 2012 15:36 UTC in reply to "RE[4]: Security"
JAlexoid
Member since:
2009-05-19

Well you can't do anything useful for a malicious intent through Java.
(Unless you are going to send a few emails or something like it)

Edited 2012-10-11 15:36 UTC

Reply Parent Score: 2

RE[6]: Security
by kwan_e on Thu 11th Oct 2012 15:57 in reply to "RE[5]: Security"
kwan_e Member since:
2007-02-18

Well you can't do anything useful for a malicious intent through Java.
(Unless you are going to send a few emails or something like it)


What if the JVM is connected and authenticated to a database when the malicious program gets control. A malicious program can use JDBC to get sensitive information from that database without needing to go native.

Reply Parent Score: 2

RE[7]: Security
by Alfman on Thu 11th Oct 2012 16:43 in reply to "RE[6]: Security"
Alfman Member since:
2011-01-28

kwan_e,

"What if the JVM is connected and authenticated to a database when the malicious program gets control. A malicious program can use JDBC to get sensitive information from that database without needing to go native."

Can you elaborate the specifics of where this malicious program came from? The reason I ask is because we need to ask whether the same attack vector is significantly more likely to happen in java than a non-java program.

Did the administrator unknowingly install the malicious program in the first place? Did he install a trusted program that contains a remotely exploitable application vulnerability, which enables a remote attacker to install & execute the malicious instructions? Does the compiler contain a bug that can be exploited remotely execute malicious instructions?

All these things are possible, but ask yourself if Java is inherently less secure than other languages for running local programs. Escaping java's sandbox is bad, but are there any instances where using Java is worse for security than using another languages like C, which doesn't have any sandbox whatsoever? Is there something specific you think I'm overlooking?

Reply Parent Score: 2

RE[7]: Security
by JAlexoid on Fri 12th Oct 2012 00:39 in reply to "RE[6]: Security"
JAlexoid Member since:
2009-05-19

It's not like it's one JVM for the whole OS. And there is no local IPC mechanism in Java. If the JVM is connected to a DB, then you it's already within your sandbox.

At most what you could do is steal the encrypted trusted keystore at most(quite useless without a targeted attack).

Reply Parent Score: 2