Java Code Signing vs. Sandboxing

The Java Sandbox was bypassed a lot in the last years and Java established itself as one as the major attack vectors in drive-by-downloads. To mitigate the problem Oracle decided to only allow applets signed by a trusted CA (i.e. no unsigned or self-signed), since this is at least increases the efforts needed by the malware author. Also, certificates used for signing can be revoked to limit the impact of a certificate used for signing malware. This change to the platform was done in 2013 with Java 7u21.

This does not mean that all these applets run outside the sandbox. To cite oracle:

As of 7u21, signing no longer automatically equates to privileged execution, ..

Thus if the applet uses privileged execution depends on the exact way it was embedded and on the permissions it implicitly or explicitly requests. With Java 7u51 further restrictions were added and all applets must now contain the list of permissions they need.

Apart from that it is recommended to remove the Java plugin completely for security reasons or at least make applets click to play, which is the default in several browsers now.

Leave a Reply

Your email address will not be published. Required fields are marked *