Security Flaws in the HotJava Web Browser

Abstract:

The growth of the Internet and the World Wide Web has led to demand
for Web extensions, such as the ability to run server-supplied code on
a Web client. We examine the HotJava Web browser and the Java
language in which it is implemented. We demonstrate several attacks
that compromise HotJava's security. Some of these attacks
are made possible through browser code that fails to enforce access
permissions, but can be easily fixed. Others point to underlying
tension between the openness desired by Web application writers and
the security desired by their users. We discuss the interaction of
application requirements and security needs and suggest how they can
both be accommodated.
For more information please see http://www.cs.princeton.edu/~ddean/java