WebApp Sec mailing list archives

Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code

From: "Brian Eaton" <eaton.lists () gmail com>
Date: Wed, 29 Mar 2006 10:46:05 -0500

On 3/28/06, michaelslists () gmail com <michaelslists () gmail com> wrote:

no, a browser written in java would not have buffer overflow/stack
issues. the jvm is specifically designed to prevent it ...

-- Michael

On 3/29/06, Pavel Kankovsky <peak () argo troja mff cuni cz> wrote:

On Mon, 27 Mar 2006, Brian Eaton wrote:

If I run a pure-java browser, for example, no web site's HTML code is
going to cause a buffer overflow in the parser.


Even a "pure-java browser" would rest on the top of a huge pile of native
code (OS, JRE, native libraries). A seemingly innocent piece of data
passed to that native code might trigger a bug (perhaps even a buffer
overflow) in it...

Unlikely (read: less likely than a direct attack vector) but still
possible.


Pavel is talking about native code, which the JVM needs to interface
to the rest of the OS.  Native code can have buffer overflows, and
those bugs can be exploitable.

For example: http://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.html

The risk is several orders of magnitude less, but it is there.

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic), (continued)
- - - Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic) Eliah Kagan (Mar 28)
    - Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic) michaelslists (Mar 28)
    - Re: [Full-disclosure] Re: Java integer overflows (was: a really longtopic) michaelslists (Mar 28)
    - Re: [Full-disclosure] Re: Java integer overflows (was: a really longtopic) Eliah Kagan (Mar 28)
    - [Full-disclosure] Re: Java integer overflows (was: a really longtopic) michaelslists (Mar 28)
    - Re: Java integer overflows (was: a really long topic) Eoin (Mar 29)
    - Re: [Full-disclosure] Java integer overflows (was: a really long topic) Simon Roberts (Mar 29)
    - RE: [Full-disclosure] Java integer overflows (was: a really long topic) Tim Hollebeek (Mar 30)
    - Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code michaelslists (Mar 28)
    - Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)
    - Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)
    - Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)