Re: question on recent Java virus affecting JRE/applets
Arne Vajh?j <arne@vajhoej.dk> writes:
The rumor about another security hole with no fix is difficult to
One can assume that for most wide-spread browsers, plug-ins
and operating systems, zero-day exploits are available for
money. Experience teaches that there always are more holes
already being exploited than known to the public. But this
does not only apply to Java.
According to "heise Verlag", a zero-day exploit for Chrome
or IE costs up to $ 200000, Firefox/Safari $ 150000, Windows
$ 120000, then Word, Flash, Java, Android and OS X, finally,
Flash $ 5000 - $ 30000. (http://heise.de/-1479675)
However, one might be able to restrict rights for the JVM
under windows using integrity levels and Software
Restriction Policies, so that Java-software still can
perform its benign activities. This gives an additional
container of security around the internal Java-Sandbox.
Most ways of infections via web browser can be avoided if
one disables ... not Java, but JavaScript.
If you download a jar and runs it then it has full access
(as defined by the account running it) by default - and that
it not even a bug.
In this case, one has to ?trust? the source anyway. But it
can happen that a program from a trustable source might have
been tampered with by a third party.
However, a jar can be decompiled, inspected and finally
recompiled, which is not possible in the case of many other
executable file types. Insofar, Java is safer.