Dailydave mailing list archives
Re: MMS + Java
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 14 Apr 2010 11:48:22 +0200
So we released an exploit for Sami's new class of vulnerabilities in Java (which is awesome, btw - everyone should read that).
http://slightlyrandombrokenthoughts.blogspot.com/
It's not a new class of bugs. This pattern (mentioned in the URL above): | Based on my very brief analysis, Java 6 update fixes this problem by | altering the Statement.invoke() to use the AccessControlContext | captured at the moment of instantiation when it uses the reflection. can be found throughout the JDK when certain callback schemes which would otherwise act as a bypass for callstack-based security checks are used. But kudos to Sami for finding this new instance---I specifically looked for such problems earlier this year, and didn't see this one. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- MMS + Java dave (Apr 13)
- Re: MMS + Java Florian Weimer (Apr 14)