In Article: <199604020006.QAA21649@jobe.shell.portal.com>, Hal <hfinney@shell.portal.com> wrote: # From http://java.sun.com/sfaq/960327.html: # > Researchers at Princeton recently found an implementation bug in the Java # > bytecode Verifier. The Verifier is a part of Java's runtime system which # > certifies that applets downloaded over the Internet adhere to Java's # > language safety rules. Through a sophisticated attack, a malicious applet # > can exploit this bug to delete a file or do other damage. # This is one of the more worrisome places for a bug to exist. Much of # Java's security rests in the claim that it can screen for and detect bad # bytecode sequences. This screening code is extremely critical for Java # security and I am surprised to see that it was implemented in a flawed # manner. # I've been writing Java quite a bit in the last couple of weeks, and I # find that I have crashed my browser, whether Netscape or appletviewer, # many times. Granted some of my code has been pretty buggy, but it's # still not supposed to crash the browser. Obviously some of the runtime # checks are not being done properly. I had expected that the bug would # be in these areas, something like the stack overflows that we have seen # cause problems in the past. A simple error in the bytecode verifier # (if that is what this really is) seems like a more fundamental security # flaw. # The researchers have still not released full details on the bug, although # they had planned to do so by the end of March. Maybe they are waiting # for the fix to be distributed. As I keep saying (multiple times, in multiple forums) "Java is still in Beta-Test." Sun acks/grocks this, although Netscape ships most of their production-level browsers with Java enabled by default. The primary reason for releasing beta software is to catch any discrepancies between the documented behaviour and the implimented behaviour of a product. Bugs WILL be found in beta testing. To reiterate: "If you insist on being on the bleeding edge, you WILL bleed." This has been a test of the emergency reality-check service. Had this been a real reality-check, the software in question would be labeled "golden" and you would be provided with a "support@foo.bar.com" email address to contact for your product. Again this is only a test, and is (as such) non flamable. Any party that might take offense to this message should re-read the contents of the message, and either A) re-evaluate their perception of it, or B) re-evaluate their practices. -- Steve@AZTech.Net