2000-04-21-10:36:06 Tally:
> this is about maliciuos java applets often called as hostile
> applets.
They're a worry, all right. Javascript likewise.
> however the applets always run in the JVM and cannot access system
> resources.
So the designers and marketers of Java have enjoyed claiming since
the beginning. However, Java is unfortunately not a terribly
well-designed language, for this (or any other) purpose. In this
area, the noteworthy problem is that the specification of of the
sandbox at the virtual machine level is sufficiently complex that it
is not correctly implemented. People keep finding problems with the
implementations that allow writing hostile applets that can break
out of the constraints that are supposed to be applied by the JVM.
In addition, it's very hard to define the needed the security
restrictions, the ones you must appy when depositing a Java[script]
interpreter in a browser and allowing it to run downloaded code from
untrusted sources. As CERT CA-2000-02[1] pointed out, Java[script]
can interact badly with un-checked echoing of content back from a
server --- content that "you" submitted --- allowing the author of a
link to cause your browser to do things you didn't intend.
> hence if this is the case then where is the hostile part in such
> applets.
If what the java designers and marketers have said were true, then
hostile applets weren't be a problem. Sadly, java designers aren't
very skilled, and java markets are lying vermin.
-Bennett
[1] <URL:http://www.cert.org/advisories/CA-2000-02.html>
PGP signature
