[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Java flaw is in bytecode verifier



In Article: <[email protected]>, Hal <[email protected]> wrote:
# From http://java.sun.com/sfaq/960327.html:
# > Researchers at Princeton recently found an implementation bug in the Java
# > bytecode Verifier. The Verifier is a part of Java's runtime system which
# > certifies that applets downloaded over the Internet adhere to Java's
# > language safety rules. Through a sophisticated attack, a malicious applet
# > can exploit this bug to delete a file or do other damage.

# This is one of the more worrisome places for a bug to exist.  Much of
# Java's security rests in the claim that it can screen for and detect bad
# bytecode sequences.  This screening code is extremely critical for Java
# security and I am surprised to see that it was implemented in a flawed
# manner.

# I've been writing Java quite a bit in the last couple of weeks, and I
# find that I have crashed my browser, whether Netscape or appletviewer,
# many times.  Granted some of my code has been pretty buggy, but it's
# still not supposed to crash the browser.  Obviously some of the runtime
# checks are not being done properly.  I had expected that the bug would
# be in these areas, something like the stack overflows that we have seen
# cause problems in the past.  A simple error in the bytecode verifier
# (if that is what this really is) seems like a more fundamental security
# flaw.

# The researchers have still not released full details on the bug, although
# they had planned to do so by the end of March.  Maybe they are waiting
# for the fix to be distributed.

As I keep saying (multiple times, in multiple forums) "Java is still in
Beta-Test."  Sun acks/grocks this, although Netscape ships most of their
production-level browsers with Java enabled by default.

The primary reason for releasing beta software is to catch any discrepancies
between the documented behaviour and the implimented behaviour of a product.
Bugs WILL be found in beta testing.

To reiterate: "If you insist on being on the bleeding edge, you WILL bleed."

This has been a test of the emergency reality-check service.
Had this been a real reality-check, the software in question would be labeled
"golden" and you would be provided with a "[email protected]" email address
to contact for your product.

Again this is only a test, and is (as such) non flamable.  Any party that might
take offense to this message should re-read the contents of the message, and
either A) re-evaluate their perception of it, or B) re-evaluate their
practices.

--
[email protected]