Sandboxing is a great security technique. In theory it isolates programs running in it from the rest of the system it is running on, therefore, preventing the spread of malware, escalation of privileges, data compromise and all sorts of other problematic interference. In the browser context, a Java applet is intended to be downloaded automatically when a user visits the server it is stored on and run inside the protected walls of a secure sandbox. It’s a good model… when it works.
Sometimes it doesn’t, as demonstrated in the latest in a growing line of Java exploits as described in an article by the Institution of Engineering and Technology where theory and practice fail to converge:
By using a vulnerability in a Java reflection API, which has been the target of recent attacks, Forshaw was able to disable the Java sandbox and perform actions under the privileges of the logged in user, including reading and writing files and executing new programs.
In general, Java’s security model is much more robust than some of its alternatives but it never hurts to remind ourselves that it isn’t perfect. No software of any real complexity is. This is why you have assume that any security defense can and will be breached and architect a solution that is resilient in the face of such a failure.
Another aspect of Java that is working against the good guys stems from one of its greatest strengths, and that is that it is cross-platform in nature. In other words, a developer can write it once and have it run on Windows, Linux, Mac OS and so on. Generally speaking, that’s a good thing. However, it also means that bad guys can write exploits that are able to cut across a wide range of platforms as well. Previously, such a feat would have been far more difficult due to the uniqueness of each OS.
Yet another area of concern is that while we continue to learn of more and more vulnerabilities in Java, we are also becoming keenly (and painfully) aware of just how many people are running old versions of it on their systems, leaving them open to an increasing number of threats.
A recent report from Websense asserts that only 1 out of 20 systems is running the latest version of Java and that 94% of systems were vulnerable to a recently discovered flaw.
Ouch! And in this case, the sandbox is leaking a lot more than just sand …