Java viruses (was Re: Mail Viruses - True or false?)

[Thomas Dowling]

Jamie McCarthy wrote:
[snip]

> > I do suspect that Java can be used to hack via e-mail.  If
> > you use Microsoft Outlook, that will automatically load all HTML files...
> > I wonder if you could just put a java script / java in there to run a
> > virus file?  Please correct me if I am wrong.
> 
> Java runs in a "sandbox" which cannot harm your computer or its
> files in any way.  That's the theory, and so far the theory has held
> up pretty well.

This oversimplifies a little, doesn't it?  For most users, "Java"
equates to their particular browser's or OS's Java implementation, and
it seems like every major release has had security holes that could be
exploited.  So while Java itself may have an acceptable security record,
that doesn't necessarily mean that someone using Internet ExCommunicator
version X.y can rest easy.  Java (and Javascript) can also be used to
mount denial of service attacks.
<URL:http://ciac.llnl.gov/ciac/javasecure.html> and
<URL:http://java.sun.com/sfaq/denialOfService.html> for more
authoritative info.  Neither of these pages is particularly current, but
the problems they describe haven't gone away.

Obvious-caveat-which-can't-be-stressed-enough-so-I'll-do-it-again: this
is something *completely* different from the ubiquitous "Join the Crew"
or "Good Times" hoaxes, which have been pretty thoroughly covered on
this list from time to time.  Those hoaxes measure their success in the
number of person-hours wasted worrying about them.  Estimating the
average list subscriber has spent one minute reading this thread (this
time), multiplying by about 3000 subscribers...it's a pretty successful
little "virus" isn't it?