ibm-netrexx

Re: Fwd: New Hole in Java 2

classic Classic list List threaded Threaded
1 message Options
William H. Geiger III-3
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: New Hole in Java 2

William H. Geiger III-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The following message just arrived at my office. Anyone at IBM know about
this? Can anyone confirm that this is a problem for the IBM JVM's?? I have
sent a message to the original authors inquiring if they have contacted
IBM on this matter.

tks,



- --- begin forwarded text


Date: Mon, 5 Apr 1999 09:44:29 -0400 (EDT)
To: [hidden email]
Subject: New Hole in Java 2
From: [hidden email] (Dr. Gary McGraw)
Reply-To: [hidden email]

Dear Fearghas McKay,

Karsten Sohr at the University of Marburg in Germany (email
[hidden email]) has discovered a very serious security
flaw in several current versions of the Java Virtual Machine, including
Sun's JDK 1.1 and Java 2 (a.k.a. JDK 1.2), and Netscape's Navigator 4.x.
(Microsoft's latest JVM is not vulnerable to this attack.)  The flaw
allows an attacker to create a booby-trapped Web page, so that when a
victim views the page, the attacker seizes control of the victim's machine
and can do whatever he wants, including reading and deleting files, and
snooping on any data and activities on the victim's machine.

The flaw is in the "byte code verifier" component of the JVM.  Under some
circumstances the verifier fails to check all of the code that is loaded
into the JVM.  Exploiting the flaw allows the attacker to run code that
has not been verified; this code can set up a type confusion attack (see
our book "Securing Java" for details
http://www.securingjava.com) which leads to a full-blown security breach.

We have verified that the flaw exists and is serious.  An attack applet
has been developed in the lab to exploit the flaw.  Sun and Netscape have
been notified about the flaw and they are working on a fix.


Thanks for your interest in Java Security,

Dr. Gary McGraw                      Prof. Edward W. Felten
Reliable Software Technologies       Secure Internet Programming Lab
[hidden email]                     Dept. of Computer Science
                                     Princeton University
http://www.securingjava.com          [hidden email]

- --- end forwarded text

- --
- ---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii

Hi Jeff!! :)
- ---------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i OS/2 for non-commercial use
Comment: Registered_User_E-Secure_v1.1b1_ES000000
Charset: cp850

wj8DBQE3COsAlHpjA6A1ypsRArQEAKCsGE0uE5BE8URfc3XN9klSBiHABwCgzOa2
an7u9mNQELx1El7K5KyTDds=
=ruQc
-----END PGP SIGNATURE-----


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To unsubscribe from this mailing list ( ibm-netrexx ), please send a note to
[hidden email]
with the following message in the body of the note
unsubscribe ibm-netrexx <e-mail address>

Free forum by Nabble Edit this page