Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L]4 Questions: Latest IE vulnerability, Firefox vs IE security,Uservs Admin risk profile,and browsers coded in 100% Managed Verifiable code

Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L]4 Questions: Latest IE vulnerability, Firefox vs IE security,Uservs Admin risk profile,and browsers coded in 100% Managed Verifiable code

From: ol <ol_at_uncon.org>
Date: Mon, 27 Mar 2006 14:01:35 +0100

> >I am not a Java expert, but I think that the Java Verifier is NOT used on
> Apps that >are executed with the Security Manager disabled (which I
believe
> is the default >setting) or are loaded from a local disk (see "... applets
> loaded via the file system >are not passed through the byte code verifier"
> in http://java.sun.com/sfaq/)
>
> I believe that as of Java 1.2, all Java code except the core libraries
must
> go through the verifier, unless it is specifically disabled (java
> -noverify). Note that Mustang will have a new, faster, better? verifier
and
> that Sun has made the new design and implementation available to the
> community with a challenge to find security flaws in this important piece
of
> their security architecture. https://jdk.dev.java.net/CTV/challenge.html.
> Kudos to Sun for engaging with the community this way.

Also don't forget about J2ME (which is till broken to my knowledge - if its
not please correct me):
http://www.packetstormsecurity.org/hitb04/hitb04-adam-gowdiak.pdf

Sun only engaged people because they got burnt badly before:

Java and Java Virtual Machine Security Vulnerabilities and their
Exploitation Techniques
http://www.lsd-pl.net/documents/javasecurity-1.0.0.pdf
Security Aspects in Java Bytecode Engineering
http://www.marc-schoenefeld.de/presentation/bh2002.php
Hunting Flaws in JDK
http://www.marc-schoenefeld.de/presentation/bh2003.php
Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities
http://secunia.com/advisories/18760/

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 27 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]