Spyware :: Information :: Java
Unlike ActiveX objects, Java security relies completely on the rules given by the security manager. By default applets can not execute arbitrary system commands, or open system device drivers such as CD-ROMs and disk drives. They also normally have very limited file reading and writing permissions. In most cases it's not possible to read and write to files locally using Java. There are many limitations in place for Java Applets, for example, they can only communicate to the server that distributed the applet.
With these measures in place it can be particularly risky if there is a security hole discovered in Java, with ActiveX, the certificate would most likely be revoked if anything malicious was happening. With Java however, any security holes found could be exploited endlessly on many systems until the security patch is released and even then and takes time for a reasonable number of users to be updated. Many security holes and bugs have been discovered over the years, back in 1996 there was bug discovered which could be exploited to delete files on the user's local disk. The infamous KillerApp could also be used to crash the users system and force the user to restart, this was discovered in 1998. Other bugs have been found since then and not all have to fixed.
Browsers such and Netscape and Opera usually give users the option to download Java (Java virtual machine) from Sun Microsystems (Java VM) during installation, however Internet Explorer comes with it's own Virtual machine - Microsoft VM. Due to some legal issues the Microsoft VM will not be included in Internet Explorer from January 2004.
Java and Spyware
While most spyware components (hijackers especially) get on to people systems through ActiveX, it is possible for spyware to use these security weaknesses in Java to try and infect the users system. A bug discovered in October 2000 allows the system to automatically run signed or unsigned ActiveX scripts by the use of Java without the users permission (ActiveXComponent bug). This bug has been fixed and also some virus checkers will recognise the code and not permit it to run. This is particularly dangerous as the ActiveX object could do anything at all like remove files from your disks. Some spyware programs have used this technique, TinyBar, for instance, installs using this method. Because of the method of install any programs using this method tend to be classified as Trojans.
Another more recent bug only affecting the Microsoft VM, is the bytecode verifier bug, which was also exploited by some Spyware programs, this was discovered in 2003. The ByteCode Verifier checks the validity of code before it is passed into the virtual machine, there is a problem in which certain sequences of byte codes can bypass this validity check and then subsequent bypassing security checks. The result of this is that the attacker could execute their own code on the user's machine, which could be used to do potentially anything such as remove files. Hijackers such as approvedlinks.com use this exploit to automatically install their software.
Only a few spyware programs use Java security holes to install themselves automatically, they and are normally no longer classified as spyware if this is the case and normally get classes as a type of virus. The small number using this type of install is probably because profiting by carrying out this kind of install can be considered illegal. By using ActiveX companies are much safer when it comes to the law as the user does have to confirm the install when their security settings are in place. Because some security holes in Java haven't been fixed yet many people consider turning off Java when browsing a much safer option to use.