[ Changed 20th March 1997 ]
We survey some of the major security flaws found in Java-enabled web browsers from Sun, Netscape, and Microsoft over the last 15 months. While numerous issues have been found throughout the system, the worst problems come from type safety failures in the implementations that allow an attacker to run arbitrary machine code. Several of the type safety failures can be traced to dynamic linking. We examine a formal model of dynamic linking, and find some necessary conditions for safety.