Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[LSD] Codes for Java and JVM security vulnerabilities

From: Last Stage of Delirium <contact () lsd-pl net>
Date: Wed, 12 Feb 2003 13:19:30 -0800

Hello,

We have finally released the codes for security vulnerabilities in Java Virtual
Machine implementations that were discussed in our Java/JVM security paper.
They can be downloaded from the projects section of our website.

There are two issues that should be cleared out with regard to the released
codes.

1] The Bytecode Verifier vulnerability from March 2002 is only exploitable in
   Netscape on UNIX systems. This is due to the fact that runtime method
   invocation is done slightly different in JIT compiled code on Win32 and UNIX.
   So, in order to test this vulnerability on Win32 you need to disable JIT
   compiler first (remove jit3240.dll library from your Netscape installation
   directory).
2] The Symantec JIT compiler bug is only exploitable in Netscape on Win32/x86.


Best Regards,
Members of LSD Research Group
http://lsd-pl.net
Previous By Date Next
Previous By Thread Next

Current thread: