When Java was new, one of the language's touted features was its safety as it ran programs in its virtual machine in a "sandbox" to thwart malicious code. It's a useful idea to run security-related code under a trusted monitor, and it's an approach that Adobe is adopting for its applications that have been the target of attacks lately.
However good the sandbox approach is, Java has had quite a few exploitable vulnerabilities. Brian Krebs has uncovered exploit packs available in the criminal underground that target Java. For these exploit packs to be useful to attackers, there needs to be a large-enough installed base so that the exploits will be effective. Java's ubiquity and number of vulnerabilities, as well as a lack of automatically-installed updates (and don't get me started about the updater always wanting to install a browser toolbar!), means there is a wide base of computers on the Internet that can be successfully attacked.
There was a surprising denial-of-service vulnerability brought to light this week in Java involving parsing a particular set of floating-point numbers from string data (or even compiling one of these numbers in a Java program). Today, Oracle has widely publicized the patch for the problem. I hope this particular event brings the issue of keeping Java up-to-date to the fore so we can reduce the number of computers vulnerable to the "bad guys".
No comments:
Post a Comment