Posts by Arto Huusko

Or registry

Yeah, or finding out what java versions are installed and where from the Windows registry.

I once wrote a native Windows app that embedded Java installation. The first step I did was to read the installation path of the latest Java version from registry.

This is not Oracle's problem, rather it seems that the JNBridge product is just being lazy and it assumes it can find java from a fixed location.

As for Enterprise desktop apps, where tried and tested versions of all components are important, just bundle a preinstalled JRE with your product. Don't rely on the desktop JRE, which can be any version. Been there, done that also.

Re: Is there a more secure VM?

The vulnerabilities are not in Java VM (hotspot). The vulnerabilities are in the Java security policy system, that runs on top of the VM, as normal Java code.

The policy system works like this

- any operation provided by Java that accesses the resources or the environment of the host computer, or various sensitive operations within the Java runtime, are considered privileged

- programs always see and try to invoke those operations

- but the implementation of the operation queries the policy system, and checks if the operation is allowed

This is no different from what the operating system does. It provides all operations to all applications, but when the operations are called, the system policy checks whether the operation is actually allowed.

By default, for desktop applications, the Java policy allows all actions.

Now, when code is run inside the browser plugin, a very strict security policy is in place. It denies operations such as accessing local files, opening network connections, and so on. And what's important, it also denies operations that attempt to modify the security policy.

The vulnerabilities are in the policy system it self. The holes allow java code to turn off the policy system, and thus gain access to all privileged operations.