aspose file tools*
The moose likes Security and the fly likes JRE - Security Threat on browsers Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "JRE - Security Threat on browsers" Watch "JRE - Security Threat on browsers" New topic
Author

JRE - Security Threat on browsers

Omkar Shetkar
Ranch Hand

Joined: Jun 22, 2006
Posts: 41

Hi,
Recently, JRE and Java apps running on browsers are considered to be potential security threats. In Firefox, it is deactive by default. Why suddenly Java is considered to be security threat? Although, nowadays we don't use applets for most of the browser applications (Rules round-up on Javaranch could be an exception ).
Is this security vulnerability applicable to server side applications running on Java?

Thanks for sharing your thoughts on this.

Regards,
Omkar


http://writingsontech.blogspot.in/
Yvette Schat
Ranch Hand

Joined: Dec 05, 2011
Posts: 56
Hello Omkar,

On the subject you might find this podcast transcript interesting.
It talks the issue you mention. Search for 'So there are unpatched
problems' if you don't want to read the whole thing.

Best regards,

Yvette
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
There's nothing "sudden" about this. There have been vulnerabilities (and attendant attacks) on client-side JVMs for at least 15 years, just like there have been on Flash, Silverlight and other client-side technologies ever since they were created.

What's changed is the mindset of people (certainly heightened recently by all the talk about what the NSA is up to), and -in client-side Java's case- a sense that it is outdated technology, and so accepting the security weaknesses no longer outweighs the benefits of using it.


Ping & DNS - updated with new look and Ping home screen widget
David Svoboda
Author
Greenhorn

Joined: Oct 21, 2013
Posts: 13
    
    5

Java has had vulnerability reports throughout most of its lifetime. Most of these were bugs in the underlying C code that implemented Java.



The recent Java exploits are a different breed entirely, in that they relied on 'pure Java'. They had nothing to do with C. Many of them were discovered 18 months ago by Security Explorations. They allowed Java applets to escape the Java sandbox, and run with the same privileges as your web browser.

Server side applications are a complex story...it depends on the framework you are using. Servlets running under programs like Apache Tomcat are vulnerable, as Tomcat uses Java's security sandbox to protect itself from malicious servlets. So today a malicious servlet could crash Tomcat, or, worse, corrupt how it runs.
But other frameworks that don't use Java's SecurityManager are not vulnerable to these recent exploits.


[Java Coding Guidelines] and [The CERT Oracle Secure Coding Standard for Java ] are from the [CERT Secure Coding Initiative]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60050
    
  65

By what vectors can malicious servlets be injected into a Tomcat instance?


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JRE - Security Threat on browsers
 
Similar Threads
Left panel / Side Invisible
Java FX dependency
JRE vs. JVM
* Welcome Jeff Friesen
JVM