| |||||||||||||
The new Java 0Day examined (The H)The new Java 0Day examined (The H)Posted Aug 31, 2012 5:18 UTC (Fri) by CChittleborough (subscriber, #60775)Parent article: The new Java 0Day examined (The H)
Java sandboxes untrusted applets by having library methods that do possibly-dangerous things check for permission first. It's a tedious, finicky approach that requires programmers who work on low-level library classes to think carefully about security. That the Oracle team either ignored the security implications of
(Log in to post comments)
And still can't save. Posted Sep 1, 2012 5:35 UTC (Sat) by gmatht (guest, #58961) [Link]
Despite unsigned applets being rather dangerous, they are missing four important and rather safe rights:
1) The right to open a trusted file save dialog that a user can use to save a file to a location of their choosing. 2) The right to open a trusted file open dialog, as above. 3) The right to read from the clipboard immediately after the user has pressed Ctrl-V. 4) The right to write to the clipboard immediately after the user presses Ctrl-C or Ctrl-X.
Incidentally, since BicaVM came fairly close to creating a JavaScript JVM, I wonder if we could compile a JVM into NaCl to eliminate additional risk from Java plugins?
And still can't save. Posted Sep 2, 2012 1:20 UTC (Sun) by khim (subscriber, #9252) [Link] Incidentally, since BicaVM came fairly close to creating a JavaScript JVM, I wonder if we could compile a JVM into NaCl to eliminate additional risk from Java plugins? Well, Mono and V8 both work with NaCl so it's perfectly possible. The devil is in details, as usual. NaCl does not support all the APIs Java plugin supports (no synchronous API at all) so you can not create drop-in replacement. You can embed NaCl in the usual Java plugin instead... but this will be huge mess so it's not clear if it'll be an advantage or not.
|
|||||||||||||