Full Disclosure mailing list archives
Re: [Owasp-dotnet] Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in100% Managed Verifiable code
From: michaelslists () gmail com
Date: Wed, 29 Mar 2006 15:04:28 +1100
I wonder if you could disable the default security manager with unverified code. Probably. Hmm. -- Michael On 3/29/06, Jeff Williams <jeff.williams () aspectsecurity com> wrote:
Jeff, as you can see by Stephen de Vries's response on this thread, you are wrong in your assumption that most Java code (since 1.2) must go through the Verifier (this is what I was sure it was happening since I remembered reading that most Java code executed in real-world applications is not verified)Wow. I ran some tests too, and Stephen is absolutely right. It appears that Sun quietly turned off verification by default for bytecode loaded from the local disk (not applets). They've apparently (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4030988), acknowledged that it is a bug, and said that it will not be fixed. The change had something to do with compatibility with old bytecode. More details (http://www.cafeaulait.org/reports/accessviolations.html) This is a clear violation of the JVM Spec. And (regardless of protestation to the contrary) it IS a big security problem. Just because bytecode is loaded from the local disk does not mean it's trustworthy. Every application uses lots of libraries that developers download from the Internet (as compiled jar files) and loaded from the local disk. Unless you run with "java -verify" that code won't get verified. I'm sure that the percentage of applications that are running with both verification and sandbox is terrifyingly small. Probably only applets and maybe Java Web Start applications. As I mentioned before some of the J2EE servers are now enabling a sandbox, but their security policies are generally wide open. I think there are two relatively easy things we can do here. First, let's find out what plans Sun has for the new verifier -- we should strongly encourage them to turn it on by default. Second, we can work on ways to encourage people to use sandboxes -- tools, articles, and awareness. --Jeff ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Owasp-dotnet mailing list Owasp-dotnet () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in100% Managed Verifiable code Jeff Williams (Mar 28)
- Re: [Owasp-dotnet] Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in100% Managed Verifiable code michaelslists (Mar 28)
- Message not available