The security issues with Java and ActiveX and Flash and so forth have
nothing to do with Turing-completeness. The issues arise from
fundamentally insecure architectures. To wit, these run-times have
access to the underlying systems.
Local privilege escalation.
A program running in a browser, whether natively or via a plug-in or
some other mechanism, is running locally. If it can exploit a local
privilege escalation vulnerability then it just owned the box. This is
how the vast majority of malware gets deployed these days. Bits of Java
or JavaScript embedded in "invisible" image or video files are executed
when the browser plugins run them. These bits of code exploit local
privilege escalation vulnerabilities then install their payloads.
Either a program has permission to run or it doesn't. The language or
run-time or interpreter doesn't matter to this simple yes/no switch.
--
Rich P.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss