WebApp Sec mailing list archives
Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L]4 Questions: Latest IE vulnerability, Firefox vs IE security,Uservs Admin risk profile,and browsers coded in 100% Managed Verifiable code
From: "ol" <ol () uncon org>
Date: Mon, 27 Mar 2006 14:01:35 +0100
I am not a Java expert, but I think that the Java Verifier is NOT used onApps that >are executed with the Security Manager disabled (which I
believe
is the default >setting) or are loaded from a local disk (see "... applets loaded via the file system >are not passed through the byte code verifier" in http://java.sun.com/sfaq/) I believe that as of Java 1.2, all Java code except the core libraries
must
go through the verifier, unless it is specifically disabled (java -noverify). Note that Mustang will have a new, faster, better? verifier
and
that Sun has made the new design and implementation available to the community with a challenge to find security flaws in this important piece
of
their security architecture. https://jdk.dev.java.net/CTV/challenge.html. Kudos to Sun for engaging with the community this way.
Also don't forget about J2ME (which is till broken to my knowledge - if its not please correct me): http://www.packetstormsecurity.org/hitb04/hitb04-adam-gowdiak.pdf Sun only engaged people because they got burnt badly before: Java and Java Virtual Machine Security Vulnerabilities and their Exploitation Techniques http://www.lsd-pl.net/documents/javasecurity-1.0.0.pdf Security Aspects in Java Bytecode Engineering http://www.marc-schoenefeld.de/presentation/bh2002.php Hunting Flaws in JDK http://www.marc-schoenefeld.de/presentation/bh2003.php Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities http://secunia.com/advisories/18760/ ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 27)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Stephen de Vries (Mar 27)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- [Full-disclosure] Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Eric Swanson (Mar 27)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- [Full-disclosure] Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L]4 Questions: Latest IE vulnerability, Firefox vs IE security,Uservs Admin risk profile,and browsers coded in 100% Managed Verifiable code ol (Mar 27)
- <Possible follow-ups>
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Stephen de Vries (Mar 29)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Stephen de Vries (Mar 27)