UPDATE-DORK AWARD: Java creator James Gosling (via Don Box)

Don writes …

Huge Security Hole in Solaris and JVM

“I wonder how Gosling feels about Solaris and the JVM, both of which support execution of C and C++ code”


Comments (2)

  1. ron says:

    I think the distinction is that Sun and IBM go to great lenghts to isolate higher-risk components and shield the rest of the system from them, Microsoft’s practice has been to deeply integrate high security-risk components with core functionality.

    Examples in the past include

    * entangling an internet browser with an OS

    * having an email reader execute arbitrary software

    * having unnecessary software (a windowing GUI) run on "servers"

    Sure, Solaris can execute C++ code; but when running arbitrary C++ code from some random company, you’re reasonably likely to be doing using Solaris’s Zones (similar to BSD Jails); and you’re almost certainly not doing it with administrative privileges.

    I think Gosling’s point was that by softening the barriers between trusted and untrusted components, the .NET framework is missing out on security barriers that could protect against certain types of attacks that would be preventable in a design that forced a stronger separation..