Cross-Platform Java Sandbox Exploit

DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.

Java finally reaches its full potential

[scatter_gather]

Write once, exploit everywhere!
:)

Re:Opera not affected

Actually the Java in Opera is even worse: http://archives.neohapsis.com/archives/bugtraq/200 4-11/0250.html

there have been lots of those before

[jeif1k]

The "sandbox" that cordons off Java applets from the rest of the system has typically worked well.

When Java first came out, people found lots of security problems with its sandbox; there were both fundamental flaws in Java's type system and problems in Sun's implementation. That aspect of Java was subject to intense scrutiny back then because Sun had positioned Java as a new way of delivering client applications, which depended critically on sandboxing. The vision was that Java would replace heavy desktop apps.

These days, it doesn't matter much anymore: Java has failed to achieve its goals on the client; you can browse perfectly fine with applets disabled and never even notice. And for Java's current server side uses, sandboxing isn't really that important. So, people stopped finding flaws in Java's sandbox because they stopped looking--it just doesn't matter to anyone anymore.

I think Java's original vision of a thin client platform for high-quality applications delivered through the Internet is still relevant, but Java won't be able to fulfill it anymore: it has become too bloated and too complex. More likely, that niche will be filled by an updated version of Flash (yuck), XUL, or, perhaps, something entirely new.

let's have a little perspective

[bratboy]

I'm sorry, but the comments here are getting a little absurd. The Java sandbox has had how many security exploits discovered in the eight or nine years it's been around? Perhaps there have been a couple, but I can't remember any. And now, a flaw is discovered by an independent researcher, a patch quickly released, and the bug made public only after a significant amount of time has passed for people to upgrade, and before an exploit appears - and you're complaining because ...? Oh right, because Java isn't open source.

Open source, although a wonderful thing which should be given away at school bake sales, church meetings, and nascar rallies, is not a silver bullet. Case in point - the Firefox browser (which I use and love) has already had several security flaws (e.g. the same JPG flaw as IE) for which exploits have been released. The major reason we don't see more is *not* because it's so much more robust - it's because it still doesn't have the visibility and marketshare of IE, not to mention the raw hatred of ubergeeks around the world. I know, I know - the marketshare is going up, and as a faithful user I'm honestly torn. I'd love for it to be successful, and for Microsoft to have some kind of competition, but for now, Firefox is pretty safe. Give it the marketshare, and watch all those 2600-loving eyes start reappraising their goals.

daniel