I am not a Java expert, but I think that the Java Verifier is NOT used on
Apps that >are executed with the Security Manager disabled (which I
believe
is the default >setting) or are loaded from a local disk (see "... applets
loaded via the file system >are not passed through the byte code verifier"
in http://java.sun.com/sfaq/)
I believe that as of Java 1.2, all Java code except the core libraries
must
go through the verifier, unless it is specifically disabled (java
-noverify). Note that Mustang will have a new, faster, better? verifier
and
that Sun has made the new design and implementation available to the
community with a challenge to find security flaws in this important piece
of
their security architecture. https://jdk.dev.java.net/CTV/challenge.html.
Kudos to Sun for engaging with the community this way.
Also don't forget about J2ME (which is till broken to my knowledge - if its
not please correct me):
http://www.packetstormsecurity.org/hitb04/hitb04-adam-gowdiak.pdf
Sun only engaged people because they got burnt badly before:
Java and Java Virtual Machine Security Vulnerabilities and their
Exploitation Techniques
http://www.lsd-pl.net/documents/javasecurity-1.0.0.pdf
Security Aspects in Java Bytecode Engineering
http://www.marc-schoenefeld.de/presentation/bh2002.php
Hunting Flaws in JDK
http://www.marc-schoenefeld.de/presentation/bh2003.php
Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities
http://secunia.com/advisories/18760/
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
