[4895] in WWW Security List Archive
Shockwave, Java and ActiveX
daemon@ATHENA.MIT.EDU (Gary McGraw)
Tue Mar 25 23:49:13 1997
Date: Tue, 25 Mar 1997 20:18:41 -0500 (EST)
From: Gary McGraw <gem@rstcorp.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>From: Prentiss Riddle <riddle@is.rice.edu>
>Anybody have anything to add?
Just that I predict the problem discovered in shockwave is really only
the tip of the iceburg with regard to plugins. Lots of press has been
generated over Java security over the last year and a half. More
recently, everyone is gabbing on about ActiveX versus Java (no
security versus an imperfect sandbox). The *very same* issues are
involved in using browser plugins and push technology. Plugins
usually make possible new forms of executable content. So we need to
apply the key take-home lesson of Java security to these systems as
well...
What's that lesson? Manage your risks. Educate yourself about the
dangers of executable content, determine what (if anything) you have
to lose, and set up an appropriate policy.
Dr. Gary McGraw
p.s. See the Java Security Web Site for information about the book I
wrote with Ed Felten called, "Java Security: Hostile Applets, Holes, &
Antidotes" <http://www.rstcorp.com/java-security.html>.
