Java Plugin a huge security risk? How to preseve Java plugin from privilege escalation?

Posted by Johannes Weiß on Super User See other posts from Super User or by Johannes Weiß
Published on 2009-09-17T21:56:47Z Indexed on 2010/03/29 23:23 UTC
Read the original article Hit count: 573

Filed under:

java

|

plugin

|

security

|

privileges

Installing a regular Java plugin is IMHO a real security risk for non-IT people. Normally Java applets run in a sandbox and the applet cannot do anything harmful to your computer.

If an applet, however, needs to do something like read-only accessing your filesystem e.g. uploading an image, you have to give it more privileges. Usually that's ok but I think not everyone knows that you give the applet the same privileges to your computer as your user has! And that's everything Java asks you:

Java security question

That looks as 'harmful' as a self-signed SSL certificate on a random page where no sensitive data is exchanged. The user will click on Run!

You can try that at home using JyConsole, that's Jython (Python on Java)!

Simply type in python code, e.g.

import os
os.system('cat /etc/passwd')

or worse DON'T TYPE IN THAT CODE ON YOUR COMPUTER!!!

import os
os.system('rm -rf ~')

...

Does anyone know how you can disable the possibily of privilege escalation? And by the way, does anyone know why SUN displays only a dialog as harmless as the one shown above (the self-signed-SSL-certificate-dialog from Firefox 3 and above is much clearer here!)?

Live sample from my computer: jyconsole sample

© Super User or respective owner

Related posts about java

Tomcat 6: Access Control Exception?

as seen on Server Fault - Search for 'Server Fault'
I'm trying to setup a tomcat6 server, and I'm trying to match another setup someone else established. However, my deployment (default Ubuntu install) uses a policy.d/ directory structure, and the established server just uses a catalina.policy file. I've tried setting every entry in policy.d to match… >>> More
Problem in creation MDB Queue connection at Jboss StartUp

as seen on Stack Overflow - Search for 'Stack Overflow'
I am not able to create a Queue connection in JBOSS4.2.3GA Version & Java1.5, as I am using MDB as per the below details. I am putting this MDB in a jar file(named utsJar.jar) and copied it in deploy folder of JBOSS, In the test env. this MDB works well but in another env. [ env settings and… >>> More
failing to establish connection between Postgres db and gwt

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I am using Postgres and gwt 2.0 for one of my applications. I am facing problem connecting to the database. When I try to connect it gives "ClassNotFoundException". Here is what I get when I try to connect to database: java.lang.ClassNotFoundException: org.postgresql.Driver at java.net… >>> More
failing to establish connection between postgre db and gwt

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, For i am using postgre and gwt 2.0 for one of my applications. I am facing problem connecting to the database. When i try to connect it gives "ClassNotFoundException". Here is what i get when i try to connect to database: java.lang.ClassNotFoundException: org.postgresql.Driver at java.net… >>> More
Migration and deployement problems JBoss 4.2.2.GA to JBoss 6.0.0.M2

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I'm trying to migrate an application running on JBoss 4.2.2.GA to JBoss 6.0.0.M2 I give you some log to explain my problem : boot.log : 2010-03-16 09:59:29,406 ERROR [org.jboss.system.server.profileservice.ProfileServiceBootstrap] (Thread-2) Failed to load profile: Summary of incomplete deployments… >>> More

Related posts about plugin

Unity completely broken after upgrade to 12.10?

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am facing a very frustrating issue with my computer right now. I successfully upgraded to Ubuntu 12.10 this afternoon, but after the upgrade, the graphical user interface seems completely broken. To be more specific, I can not get the Unity bar to appear on the right. I have tried many things,… >>> More
Ubuntu 13.10 unity won't load from this morning

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I turned on my pc this morning and unity will not load at all. I have tried loading it manually using ctrl+alt+f1 and all i got from it was the following:- compiz (core) - Info: Loading plugin: core compiz (core) - Info: Starting plugin: core compiz (core) - Info: Loading plugin: ccp compiz (core)… >>> More
Unity not Working 14.04

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am using Ubuntu 14.04 LTS x64. I did a sudo apt-get upgrade yesterday and restarted my PC. Now my taskbar and panel are missing. When I try to restart Unity using unity --replace Then I get error: unity-panel-service stop/waiting compiz (core) - Info: Loading plugin: core compiz (core) - Info:… >>> More
MySQL Syslog Audit Plugin

as seen on Oracle Blogs - Search for 'Oracle Blogs'
This post shows the construction process of the Syslog Audit plugin that was presented at MySQL Connect 2012. It is based on an environment that has the appropriate development tools enabled including gcc,g++ and cmake. It also assumes you have downloaded the MySQL source code (5.5.16 or higher) and… >>> More
Why does this Maven command produce a LifecycleExecutionException?

as seen on Stack Overflow - Search for 'Stack Overflow'
COMMAND: mvn org.apache.maven.plugins:maven-archetype-plugin:2.0-alpha-4:generate \ -DarchetypeGroupId=org.beardedgeeks \ -DarchetypeArtifactId=gae-eclipse-maven-archetype \ -DarchetypeVersion=1.1.2 \ -DarchetypeRepository=http://beardedgeeks.googlecode.com/svn/repository/releases ERROR: +… >>> More