[Isolate-interest] Naïve vs. malicious
Curt Cox
ccox at tripos.com
Wed Jul 13 10:29:30 EDT 2005
The following anecdote isn't directly related to JSR-121, but I thought
might be of interest to readers of this list.
It originally appeared at the link below, and has been copied here as a
convenience.
http://www.ibiblio.org/javafaq/shortindex.shtml
"A data point of some interest: I graded a recent applet homework for my
Intro to Java course on Safari 2.0 using Java 1.4.2 (not the recent update).
4 of the 20 assignments managed to crash my browser at least once. If Apple
wants to debug their VM, they could do worse than ask a bunch of
undergraduates to write some applets. I suspect the students tend to do
things no experienced programmer would be likely to do, and hence uncover
bugs that would normally be missed. Remember, any web page or applet that
can crash the browser is a potential denial of service attack that indicates
a bug in the browser, even if the applet is itself buggy.
Of course, Apple is hardly the only vendor with this problem. Last semester
one of my students crafted an applet that succeeded in immediately powering
down any Windows box that tried to run it, as if somebody had flipped the
power switch or unplugged the box. My Mac was unaffected. None of these
students have been looking for such problems. They've all stumbled across
them by accident. Java may be hardened against expert attacks, but it's got
a ways to go before it can stand up to undergraduates."
- Elliotte Rusty Harold
More information about the Isolate-interest
mailing list