• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JRE - Security Threat on browsers

 
Ranch Hand
Posts: 104
2
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
Recently, JRE and Java apps running on browsers are considered to be potential security threats. In Firefox, it is deactive by default. Why suddenly Java is considered to be security threat? Although, nowadays we don't use applets for most of the browser applications (Rules round-up on Javaranch could be an exception ).
Is this security vulnerability applicable to server side applications running on Java?

Thanks for sharing your thoughts on this.

Regards,
Omkar
 
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Omkar,

On the subject you might find this podcast transcript interesting.
It talks the issue you mention. Search for 'So there are unpatched
problems' if you don't want to read the whole thing.

Best regards,

Yvette
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There's nothing "sudden" about this. There have been vulnerabilities (and attendant attacks) on client-side JVMs for at least 15 years, just like there have been on Flash, Silverlight and other client-side technologies ever since they were created.

What's changed is the mindset of people (certainly heightened recently by all the talk about what the NSA is up to), and -in client-side Java's case- a sense that it is outdated technology, and so accepting the security weaknesses no longer outweighs the benefits of using it.
 
Author
Posts: 13
5
Mac OS X Debian Java
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Java has had vulnerability reports throughout most of its lifetime. Most of these were bugs in the underlying C code that implemented Java.



The recent Java exploits are a different breed entirely, in that they relied on 'pure Java'. They had nothing to do with C. Many of them were discovered 18 months ago by Security Explorations. They allowed Java applets to escape the Java sandbox, and run with the same privileges as your web browser.

Server side applications are a complex story...it depends on the framework you are using. Servlets running under programs like Apache Tomcat are vulnerable, as Tomcat uses Java's security sandbox to protect itself from malicious servlets. So today a malicious servlet could crash Tomcat, or, worse, corrupt how it runs.
But other frameworks that don't use Java's SecurityManager are not vulnerable to these recent exploits.

 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
By what vectors can malicious servlets be injected into a Tomcat instance?
 
These are the worst of times and these are the best of times. And this is the best tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic