[Discuss] Java 7 Deployment Rule Sets, or, I Was Right All Along

[Richard Pieri]

Back in the day when Netscape incorporated Java in their flagship 
product I was horrified. Not because of Java per se but because of how 
Netscape implemented it: any Java program would run more or less 
automatically upon load from a web page. This flew in the face of a 
fundamental security tenet: you only run programs that you choose to 
run. But here was Netscape trying to dominate the world with the 
"convenience" of Java applets right there with Sun backing Netscape all 
the way.

And then Microsoft followed suit with ActiveX.

And then all hell broke lose.

Fast forward to today. Oracle has announced and deployed a security 
update to Java 7 that will once and for all solve the problem of web 
browsers loading and launching rogue programs. It's called Deployment 
Rule Set and it prevents Java from running anything that isn't 
explicitly allowed by a site's administrators.

Java finally has an implicit deny/explicit allow security mechanism, and 
it's about damned time. It only took Sun + Oracle the better part of 20 
years to figure it out.

Bets on how long it will take the black hats to figure out how to bypass it?

-- 
Rich P.