Many of the points made in the article go well above matters of language vulnerabilities. Sure, Java has built-in insulation against buffer overruns. So does a properly designed C application. Nothing is free, including Java's safety and insulation.

The problem they're pointing out is much deeper. There seems to be a headlong dash to add more eye candy and whizz-bang functionality that is completely useless. For example, when was the last time you really *needed* to embed code in an email? This impacts less obvious user-level security issues - marketing companies truly love all of the HTML-rendering email clients in the world where a customized image tag in each message sent lets them know that your email address is valid as soon as your oh-so-friendly emailer opens their email unbidden. There is a price to be paid for too much flexibility, and security is part of it.

Whether written in Java or hand-coded assembler, the same issues are still there.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/315/10148#10148