On a closely related vein, Sun has announced that they are severely limiting some functions in HotJava - from Risks-17-45:
The problems found however, were not fundamental flaws in the Java language itself nor in the Java virtual machine. As I've said many times, you can pretty much rip any i/o capability out of Java by changing the runtime class libraries. If someone finds as way to to defeat the Java bytecode verifier/class loader and replace a class in java.* with a more powerful one, then that will be really significant.
I had a rather lengthy discussion with a gentleman from Sun at the CSI conference last Tuesday night, and this announcement follows many of the things we discussed very closely. This kind of consistency between what people say and what the company published is refreshing, and it restores my faith in Sun's desire to do things well. Of course there are still some problems left unresolved:
[denial of service problems deleted. ]
Similarly, if your HotJava allows an insecure Postscript implementation to interpret postscript files, you're still beat.
This is not a flaw or a feature. If you download a helper app off the internet that has a flaw, it's not a flaw in the browser. Claiming that it is is like claiming that "ftp" or "nfs" has a fatal flaw because it allows you execute untrusted binaries from other computers. Helper apps are in the category of third party add-ons and the responsibility for their correct implementation rests on the companies which sell them. Netscape never claimed the ability to allow users to download executable binary applications from the net and run them without risk. Netscape doesn't come with a postscript interpreter nor does it have one configured by default, so if the user installs one and configures it, and it has a security flaw, it's not Netscape's fault. Installing helper apps is not "easy" compared with clicking on a Java applet so any user who does it must atleast be somewhat knowledgable. If a postscript interpreter is implemented in JDK Beta, and it is insecure and it is allowed to interpret postscript files, nothing bad will happen.
I do think that this response by Sun, regardless of the technical merits of the particulars, demonstrates a desire to improve protection and a willingness to listen. My compliments for that.
They've never demonstrated otherwise in my entire history on the Java mailing lists. Their whole mission is to produce a secure environment for executing untrusted applications. The alpha's and beta's of every product have problems, it's to be expected. The whole point of releasing a beta is so that you can get feedback. -Ray