Java flaw is in bytecode verifier

Steve Gibbons steve at aztech.net
Tue Apr 2 05:06:29 PST 1996


In Article: <199604020006.QAA21649 at jobe.shell.portal.com>, Hal <hfinney at shell.portal.com> wrote:
# From http://java.sun.com/sfaq/960327.html:
# > Researchers at Princeton recently found an implementation bug in the Java
# > bytecode Verifier. The Verifier is a part of Java's runtime system which
# > certifies that applets downloaded over the Internet adhere to Java's
# > language safety rules. Through a sophisticated attack, a malicious applet
# > can exploit this bug to delete a file or do other damage.

# This is one of the more worrisome places for a bug to exist.  Much of
# Java's security rests in the claim that it can screen for and detect bad
# bytecode sequences.  This screening code is extremely critical for Java
# security and I am surprised to see that it was implemented in a flawed
# manner.

# I've been writing Java quite a bit in the last couple of weeks, and I
# find that I have crashed my browser, whether Netscape or appletviewer,
# many times.  Granted some of my code has been pretty buggy, but it's
# still not supposed to crash the browser.  Obviously some of the runtime
# checks are not being done properly.  I had expected that the bug would
# be in these areas, something like the stack overflows that we have seen
# cause problems in the past.  A simple error in the bytecode verifier
# (if that is what this really is) seems like a more fundamental security
# flaw.

# The researchers have still not released full details on the bug, although
# they had planned to do so by the end of March.  Maybe they are waiting
# for the fix to be distributed.

As I keep saying (multiple times, in multiple forums) "Java is still in
Beta-Test."  Sun acks/grocks this, although Netscape ships most of their
production-level browsers with Java enabled by default.

The primary reason for releasing beta software is to catch any discrepancies
between the documented behaviour and the implimented behaviour of a product.
Bugs WILL be found in beta testing.

To reiterate: "If you insist on being on the bleeding edge, you WILL bleed."

This has been a test of the emergency reality-check service.
Had this been a real reality-check, the software in question would be labeled
"golden" and you would be provided with a "support at foo.bar.com" email address
to contact for your product.

Again this is only a test, and is (as such) non flamable.  Any party that might
take offense to this message should re-read the contents of the message, and
either A) re-evaluate their perception of it, or B) re-evaluate their
practices.

--
Steve at AZTech.Net






More information about the cypherpunks-legacy mailing list