Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: 4 Questions: Latest IE vulnerability,Firefox vs IE security, Uservs Admin risk profile, and browsers coded in100% Managed Verifiable code

Re: 4 Questions: Latest IE vulnerability,Firefox vs IE security, Uservs Admin risk profile, and browsers coded in100% Managed Verifiable code

From: Jeff Williams <jeff.williams_at_aspectsecurity.com>
Date: Tue, 28 Mar 2006 22:52:36 -0500

> Jeff, as you can see by Stephen de Vries's response on this thread,
> you are wrong in your assumption that most Java code (since 1.2)
> must go through the Verifier (this is what I was sure it was
> happening since I remembered reading that most Java code executed
> in real-world applications is not verified)

Wow. I ran some tests too, and Stephen is absolutely right. It appears
that Sun quietly turned off verification by default for bytecode loaded from
the local disk (not applets). They've apparently
(http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4030988), acknowledged
that it is a bug, and said that it will not be fixed. The change had
something to do with compatibility with old bytecode. More details
(http://www.cafeaulait.org/reports/accessviolations.html)

This is a clear violation of the JVM Spec. And (regardless of protestation
to the contrary) it IS a big security problem. Just because bytecode is
loaded from the local disk does not mean it's trustworthy. Every
application uses lots of libraries that developers download from the
Internet (as compiled jar files) and loaded from the local disk. Unless you
run with "java -verify" that code won't get verified.

I'm sure that the percentage of applications that are running with both
verification and sandbox is terrifyingly small. Probably only applets and
maybe Java Web Start applications. As I mentioned before some of the J2EE
servers are now enabling a sandbox, but their security policies are
generally wide open.

I think there are two relatively easy things we can do here. First, let's
find out what plans Sun has for the new verifier -- we should strongly
encourage them to turn it on by default. Second, we can work on ways to
encourage people to use sandboxes -- tools, articles, and awareness.

--Jeff

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 28 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]