Java Security Issues Addressed in Internet Explorer 3.0Last reviewed: September 29, 1997Article ID: Q154559 |
The information in this article applies to:
SUMMARYWith Microsoft Internet Explorer version 3.0, Microsoft has adhered to the Java security specification set forth by Sun Microsystems which dictates that Java programs run in what is known as a "sandbox." A "sandbox" is an area in memory outside of which the program cannot make calls. This prevents Java programs from being able to call low-level system functions that could cause data corruption or other damage. Microsoft also includes code-signing detection in Internet Explorer that notifies the user whether the Java program was created by a trusted publisher and shows a warning message if the publisher is not trusted or if the program is not signed.
MORE INFORMATIONCode signing (as implemented with Authenticode) and the Java sandbox approach are two methods used to provide security in Internet Explorer. Microsoft has the most secure sandbox available today in Internet Explorer 3.0, and will continue to add capabilities to it. However, as published reports in the last six months have shown, sandboxing by itself is inadequate to offer a satisfactory level of security. It is also unlikely that sandboxing will ever be able to offer a rich enough set of capabilities for many programs. For that reason, Microsoft offers Authenticode as an additional level of security. Authenticode provides users with accountability, because it positively identifies the publisher of a piece of code. These two security methods augment each other. Some programs run fine within the robust sandbox provided in Internet Explorer, but signed code can be run with a higher degree of assurance, whether inside the sandbox or out. Users want their browsers to support both capabilities, and that is why Microsoft is including both in Internet Explorer. Code signing is also an industry-wide initiative. Netscape and JavaSoft have publicly announced their intention to support it, and the World Wide Web Consortium is currently discussing a Microsoft code-signing submission.
|
KBCategory: kbref
© 1998 Microsoft Corporation. All rights reserved. Terms of Use. |