Thursday, May 10, 2007

Java Security Holes Getting Worse

There was a nice article yesterday in eWeek about how Java security is actually getting worse. The story is based on presentations at Java One both this year and last, comparing security changes over the year.

An interesting point is that Java is susceptible to XSS.

But what the article didn't go over was buffer overflows. Possible -- but not likely -- in Java, but interesting to note, in any case.

As for buffer overflows, Java by default checks the size of inputs, making it better at preventing buffer overflows than other languages. C and assembly, for example, don't check buffer sizes. A developer has to specifically add code in these languages to check buffers and block overflows.

But, at the same time, Java is used for connecting web systems to back end systems, often running C and assembly. So, it can potentially pass overflows through to susceptible systems. That is if the size of the overflow is small enough to get past the Java checks but big enough to do damage on the back end system. And, that's possible, but still a big if.

There's some good links in the article to other Java security resources and a Java One presentation.


Post a Comment

<< Home