Java Plugin a huge security risk? How to preseve Java plugin from privilege escalation?
Posted
by Johannes Weiß
on Super User
See other posts from Super User
or by Johannes Weiß
Published on 2009-09-17T21:56:47Z
Indexed on
2010/03/29
23:23 UTC
Read the original article
Hit count: 607
Installing a regular Java plugin is IMHO a real security risk for non-IT people. Normally Java applets run in a sandbox and the applet cannot do anything harmful to your computer.
If an applet, however, needs to do something like read-only accessing your filesystem e.g. uploading an image, you have to give it more privileges. Usually that's ok but I think not everyone knows that you give the applet the same privileges to your computer as your user has! And that's everything Java asks you:
That looks as 'harmful' as a self-signed SSL certificate on a random page where no sensitive data is exchanged. The user will click on Run
!
You can try that at home using JyConsole, that's Jython (Python on Java)!
Simply type in python code, e.g.
import os
os.system('cat /etc/passwd')
or worse DON'T TYPE IN THAT CODE ON YOUR COMPUTER!!!
import os
os.system('rm -rf ~')
...
Does anyone know how you can disable the possibily of privilege escalation? And by the way, does anyone know why SUN displays only a dialog as harmless as the one shown above (the self-signed-SSL-certificate-dialog from Firefox 3 and above is much clearer here!)?
Live sample from my computer:
© Super User or respective owner