[LSD] Codes for Java and JVM security vulnerabilities

From: Last Stage of Delirium (contact@lsd-pl.net)
Date: Wed Feb 12 2003 - 13:19:30 PST

Next message: SGI Security Coordinator: "[Full-Disclosure] IRIX IP denial-of-service fixes and tunings"

Previous message: Mandrake Linux Security Team: "MDKSA-2002:062-1 - Updated postgresql packages fix various buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

We have finally released the codes for security vulnerabilities in Java Virtual
Machine implementations that were discussed in our Java/JVM security paper.
They can be downloaded from the projects section of our website.

There are two issues that should be cleared out with regard to the released
codes.

1] The Bytecode Verifier vulnerability from March 2002 is only exploitable in
   Netscape on UNIX systems. This is due to the fact that runtime method
   invocation is done slightly different in JIT compiled code on Win32 and UNIX.
   So, in order to test this vulnerability on Win32 you need to disable JIT
   compiler first (remove jit3240.dll library from your Netscape installation
   directory).
2] The Symantec JIT compiler bug is only exploitable in Netscape on Win32/x86.


Best Regards,
Members of LSD Research Group
http://lsd-pl.net

Next message: SGI Security Coordinator: "[Full-Disclosure] IRIX IP denial-of-service fixes and tunings"
Previous message: Mandrake Linux Security Team: "MDKSA-2002:062-1 - Updated postgresql packages fix various buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 05:47:57 PST