Note also that we did not use Date’s clone method to make the defensive copies. Because Date is nonfinal, the clone method is not guaranteed to return an object whose class is java.util.Date: it could return an instance of an untrusted subclass that is specifically designed for malicious mischief. Such a subclass could, for example, record a reference to each instance in a private static list at the time of its creation and allow the attacker to access this list. This would give the attacker free rein over all instances. To prevent this sort of attack, do not use the clone method to make a
...more
This is venturing too deep into "making your java app secure against malicious code," which a blurb here and there are wholly inadequate for.
For example, what do you even know about your runtime? Can it give the attacker access to the class loader? Instead, this should really just say something like "This is for defending against mistakes, but for Java security, here's a recommendation for where to learn more."
