[Someone1234]

No disputing that bugs can be written in any language. But by avoiding C/C++ you're excluding a specific class of bugs which have historically proved harmful.

You can write exploitable code in Java. But you'd actually have to try if you wanted Java to be able to write arbitrary memory or execute arbitrary code.

Essentially any bug that can be written in Java/Go/Rust/etc can be written in C/C++. But some C/C++ bugs are extremely uncommon in other languages, or you have to actually TRY to introduce them.

[shanemhansen]

> But you'd actually have to try if you wanted Java to be able to write arbitrary memory or execute arbitrary code.

Depends on your definition of arbitrary. Higher level languages have higher level exploits. While injecting x86 shellcode into a java process is probably hard, many java applications have been vulnerable to serialization bugs which result in the execution of arbitrary bytecode.

Source: http://www.darkreading.com/informationweek-home/why-the-java...

[pcwalton]

Nobody is saying RCE is impossible in memory safe languages, just much less likely.

[askyourmother]

And this needs to be said more "RCE is possible in Rust", because sometimes it is portrayed in almost unassailable terms.

[pcwalton]

It also needs to be said that this is generally not a reasonable reason to pick C over Rust. Memory-safe languages are effective defenses against these flaws.

[ArkyBeagle]

Intent doesn't matter; results do. This is a heatmap problem - there's simply more 'C'/C++ code out there.

[hansjorg]

I'm pretty sure there is more (and a greater variety of) net facing Java code than C/C++ code.

[ArkyBeagle]

You may be right. I'm just thinking that everything( has an O/S and it's probably written largely in 'C'. So much will depend on how you measure it.

I tend to ignore the web as much as possible.