| |||||||||||||
Oracle patches critical Java bugs used to commandeer computers (ars technica)Oracle patches critical Java bugs used to commandeer computers (ars technica)Posted Sep 4, 2012 0:13 UTC (Tue) by mikov (subscriber, #33179)Parent article: Oracle patches critical Java bugs used to commandeer computers (ars technica)
It is really ironic how many commenters equate vulnerabilities in running applets (arbitrary downloadable code from the Internet) with vulnerabilities of the language itself. The idiocy has reached so high that people are calling for abandoning Java entirely ... in favor of C++ :-)
(Log in to post comments)
Oracle patches critical Java bugs used to commandeer computers (ars technica) Posted Sep 4, 2012 1:51 UTC (Tue) by alankila (subscriber, #47141) [Link]
Also, in this case it appears that the applet runtime simply acts as vector to carry the interesting payload that actually compromises the system.
That being said, I was disappointed to learn how the applet security manager is put together, as it appears to simply trust call sites in the system framework packages. Given the size of the software, it seems likely that bugs like this will be discovered for years and years, and that every new API level will supply new bugs, unless this aspect of its evolution is strenuously reviewed.
Then again, if you just sign your applet, and socially engineer the user to run it, the security manager is turned off in any case, opening the door to further exploits just the same. If applets are to be salvaged -- and it is not clear to me anybody wants that -- then the operating system must be hardened to not allow browser to act as user's agent, i.e. with his privileges.
|
|||||||||||||