Page History

In Java SE 6 and Java SE 7, privileged code must either use the AccessController mechanism or be signed by an owner (or provider) whom the user trusts. Attackers could link privileged code with malicious code if the privileged code directly or indirectly invokes code from another package. Trusted JAR files often contain code that requires no elevated privileges itself, but that depends on privileged code; such code is known as security-sensitive code. If an attacker can link security-sensitive code with malicious code, he or she can indirectly cause incorrect behavior. This is called a mix-and-match attack.

Execution Normally, execution of untrusted code causes loss of privileges; the Java security model rescinds priveleges when a trusted method invokes an untrusted one. When trusted code calls untrusted code that attempts to perform some action requiring permissions withheld by the security policy, the Java security model disallows that action is not allowed. However, privileged code may use a class that exists in an untrusted container and performs only unprivileged operations. If the attacker were to replace the class in the trusted untrusted container with a malicious implementationclass, the trusted code might retrieve receive incorrect results and cause the privileged code to misbehave at the attack's discretiondiscretion of the malicious code.

According to the Java API \[[EMA 2011|AA. References#EMA 2011]\]:

...

...