[Discuss] Java 7 Deployment Rule Sets, or, I Was Right All Along

[Richard Pieri]

The security issues with Java and ActiveX and Flash and so forth have 
nothing to do with Turing-completeness. The issues arise from 
fundamentally insecure architectures. To wit, these run-times have 
access to the underlying systems.

Local privilege escalation.

A program running in a browser, whether natively or via a plug-in or 
some other mechanism, is running locally. If it can exploit a local 
privilege escalation vulnerability then it just owned the box. This is 
how the vast majority of malware gets deployed these days. Bits of Java 
or JavaScript embedded in "invisible" image or video files are executed 
when the browser plugins run them. These bits of code exploit local 
privilege escalation vulnerabilities then install their payloads.

Either a program has permission to run or it doesn't. The language or 
run-time or interpreter doesn't matter to this simple yes/no switch.

-- 
Rich P.