search / subscribe / upload / contact












RSS-Feed Depeschen

<< ^ >>

Date: 1999-04-05

Sicherheit: Java2 hat ein Loch

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

Damit sind alle Navigatoren ab der version 4x mitgehangen. Surprise,
surprise: Microsofts neue Java Virtual Machine scheint nicht betroffen.

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Karsten Sohr at the University of Marburg in Germany (email
sohr@mathematik.uni-marburg.de) has discovered a very serious security
flaw in several current versions of the Java Virtual Machine,
including Sun's JDK 1.1 and Java 2 (a.k.a. JDK 1.2), and Netscape's
Navigator 4.x. (Microsoft's latest JVM is not vulnerable to this
attack.) The flaw allows an attacker to create a booby-trapped Web
page, so that when a victim views the page, the attacker seizes
control of the victim's machine and can do whatever he wants,
including reading and deleting files, and snooping on any data and
activities on the victim's machine.

The flaw is in the "byte code verifier" component of the JVM. Under
some circumstances the verifier fails to check all of the code that is
loaded into the JVM. Exploiting the flaw allows the attacker to run
code that has not been verified; this code can set up a type confusion
attack (see our book "Securing Java" for details
http://www.securingjava.com) which leads to a full-blown security
breach.

We have verified that the flaw exists and is serious. An attack
applet has been developed in the lab to exploit the flaw. Sun and
Netscape have been notified about the flaw and they are working on a
fix.

relayed by
Fearghas McKay <fm@espace.net> via Robert Hettinga rah@shipwright.com
via Miki San http://www.gis.at

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by
published on: 1999-04-05
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<< ^ >>

BigBrotherAwards Eintritt zur Gala sichern ... 25. Oktober 2023 #BBA23


	CURRENTLY RUNNING
	q/Talk 1.Juli: The Danger of Software Users Don't Control Dr.h.c. Richard Stallman live in Wien, dem Begründer der GPL und des Free-Software-Movements

	!WATCH OUT!
	bits4free 14.Juli 2011: OpenStreetMap Erfinder Steve Coast live in Wien Wie OpenStreetMaps die Welt abbildet und was ein erfolgreiches Crowdsourcing Projekt ausmacht.