Dailydave mailing list archives
Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L]4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: "ol" <ol () uncon org>
Date: Mon, 27 Mar 2006 14:01:35 +0100
I am not a Java expert, but I think that the Java Verifier is NOT used onApps that >are executed with the Security Manager disabled (which I
believe
is the default >setting) or are loaded from a local disk (see "... applets loaded via the file system >are not passed through the byte code verifier" in http://java.sun.com/sfaq/) I believe that as of Java 1.2, all Java code except the core libraries
must
go through the verifier, unless it is specifically disabled (java -noverify). Note that Mustang will have a new, faster, better? verifier
and
that Sun has made the new design and implementation available to the community with a challenge to find security flaws in this important piece
of
their security architecture. https://jdk.dev.java.net/CTV/challenge.html. Kudos to Sun for engaging with the community this way.
Also don't forget about J2ME (which is till broken to my knowledge - if its not please correct me): http://www.packetstormsecurity.org/hitb04/hitb04-adam-gowdiak.pdf Sun only engaged people because they got burnt badly before: Java and Java Virtual Machine Security Vulnerabilities and their Exploitation Techniques http://www.lsd-pl.net/documents/javasecurity-1.0.0.pdf Security Aspects in Java Bytecode Engineering http://www.marc-schoenefeld.de/presentation/bh2002.php Hunting Flaws in JDK http://www.marc-schoenefeld.de/presentation/bh2003.php Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities http://secunia.com/advisories/18760/
Current thread:
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L]4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code ol (Mar 27)