Java has a wonderful security model that almost perfectly balances usability with security. To pull off this delicate balancing act took a lot of smart people, a lot of code, and a complex set of checks. And for the most part it works! Unfortunately, as any security expert will tell you, complexity -- and Java’s security model is complex -- increases the chances that something will break. Java’s sandbox has been violated several times and even applets, which do not violate any of the rules, can introduce annoying denial of service attacks.
There are thousands of hackers interested in exploiting malicious mobile code. Entire groups, like Germany’s Computer Chaos Club, use a professional, team approach to hacking Java. Everyone wants to be the first to “prove how unsecure Java is.” Fortunately, there are a few dozen highly skilled professional groups working to find the latest exploit before malicious hackers can.
Probably the most famous group analyzing Java is Princeton University’s Safe Internet Programming Team (SIP) (http://www.cs.princeton.edu/sip). Using support garnered from both public and private entities, SIP is the premier research group studying mobile code systems. They have a serious bent toward Java, but are the group to talk to about any malicious code exploits. Included in the team are several other university groups, graduate students dedicated to debugging Java, and JavaSoft’s own security team.
Java was released ...