Having security built in at method level, with code like this:
public void somemethod(){
if (evil_attacker) throw new SecurityException();
do_sth_useful();
}
won't get you too far, if the attacker has access to source code, and overloads the method with a version without security checks. Since Java applets can extend java.* classes and the code for them comes with the latest JDK, it was just a matter of time until someone figured this out, and created an exploit.
The easy solution is not to allow unknown code (applets) to replace (overload) system library code. Let applets only extend java.lang.Object or other classes from an Applet, and you're done.
Slashdot Mirror
Having security built in at method level, with code like this:
public void somemethod(){
if (evil_attacker) throw new SecurityException();
do_sth_useful();
}
won't get you too far, if the attacker has access to source code, and overloads the method with a version without security checks. Since Java applets can extend java.* classes and the code for them comes with the latest JDK, it was just a matter of time until someone figured this out, and created an exploit.
The easy solution is not to allow unknown code (applets) to replace (overload) system library code. Let applets only extend java.lang.Object or other classes from an Applet, and you're done.