[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java security weaknesses



To add to the list of Java security weaknesses from the Princeton paper
I posted the other day, I saw a new one on comp.lang.java this
afternoon.  It is another bug in the bytecode verifier, different from
the one discovered by the Princeton group, that allows you to bypass
the security mechanisms completely.  Details are not yet available.

Apparently the earlier bytecode verifier bug still does not have a fix
available.  However the nature of the bug itself was kept secret until
last week.  Now that it is out I hope Sun and Netscape will push to get
the fix available ASAP.  The bug appears to require considerable
sophistication to exploit (understanding the details of the class
resolution mechanism).  Still with the talent which is out there on the
net I imagine it will only be another week or two at most before a
demonstration exploit appears.

I hope the extended delay in making the fix available means that an
intensive review of the code is being conducted, so that for example this
other bug will have been fixed as well in the new release.  I certainly
hope that it won't be another month before a fix comes out for this new
bug.

Hal