Java Plugin a huge security risk? How to preseve Java plugin from privilege escalation?

Posted by Johannes Weiß on Super User See other posts from Super User or by Johannes Weiß
Published on 2009-09-17T21:56:47Z Indexed on 2010/03/29 23:23 UTC
Read the original article Hit count: 604

Filed under:
|
|
|

Installing a regular Java plugin is IMHO a real security risk for non-IT people. Normally Java applets run in a sandbox and the applet cannot do anything harmful to your computer.

If an applet, however, needs to do something like read-only accessing your filesystem e.g. uploading an image, you have to give it more privileges. Usually that's ok but I think not everyone knows that you give the applet the same privileges to your computer as your user has! And that's everything Java asks you:

Java security question

That looks as 'harmful' as a self-signed SSL certificate on a random page where no sensitive data is exchanged. The user will click on Run!

You can try that at home using JyConsole, that's Jython (Python on Java)!

Simply type in python code, e.g.

import os
os.system('cat /etc/passwd')

or worse DON'T TYPE IN THAT CODE ON YOUR COMPUTER!!!

import os
os.system('rm -rf ~')

...

Does anyone know how you can disable the possibily of privilege escalation? And by the way, does anyone know why SUN displays only a dialog as harmless as the one shown above (the self-signed-SSL-certificate-dialog from Firefox 3 and above is much clearer here!)?

Live sample from my computer: jyconsole sample

© Super User or respective owner

Related posts about java

Related posts about plugin