Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: 4 Questions: Latest IE vulnerability,Firefox vs IE security, Uservs

from [Jeff Williams] Network Security [Permanent Link]
Subject: Re: 4 Questions: Latest IE vulnerability,Firefox vs IE security, Uservs Admin risk profile, and browsers coded in100% Managed Verifiable code
Date: Tue, 28 Mar 2006 22:52:36 -0500 
Jeff, as you can see by Stephen de Vries's response on this thread,
you are wrong in your assumption that most Java code (since 1.2)
must go through the Verifier (this is what I was sure it was
happening since I remembered reading that most Java code executed
in real-world applications is not verified)


Wow.  I ran some tests too, and Stephen is absolutely right.  It appears
that Sun quietly turned off verification by default for bytecode loaded from
the local disk (not applets).  They've apparently
(http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4030988), acknowledged
that it is a bug, and said that it will not be fixed.  The change had
something to do with compatibility with old bytecode.  More details
(http://www.cafeaulait.org/reports/accessviolations.html) 

This is a clear violation of the JVM Spec. And (regardless of protestation
to the contrary) it IS a big security problem.  Just because bytecode is
loaded from the local disk does not mean it's trustworthy.  Every
application uses lots of libraries that developers download from the
Internet (as compiled jar files) and loaded from the local disk.  Unless you
run with "java -verify" that code won't get verified.

I'm sure that the percentage of applications that are running with both
verification and sandbox is terrifyingly small.  Probably only applets and
maybe Java Web Start applications.  As I mentioned before some of the J2EE
servers are now enabling a sandbox, but their security policies are
generally wide open.

I think there are two relatively easy things we can do here. First, let's
find out what plans Sun has for the new verifier -- we should strongly
encourage them to turn it on by default.  Second, we can work on ways to
encourage people to use sandboxes -- tools, articles, and awareness.

--Jeff




-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic), michaelslists
Next by Date:  [Full-disclosure] Re: [Owasp-dotnet] Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in100% Managed Verifiable code, michaelslists
Previous by Thread:  Request for licence to help in Owasp's SiteGenerator Development, Dinis Cruz
Next by Thread:  [Full-disclosure] Re: [Owasp-dotnet] Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in100% Managed Verifiable code, michaelslists
Indexes:  [Date] [Thread] [Top] [All Lists]