Daniel Veditz wrote:
not true, there is a version of the ByteVerify Java attack that affects Sun's JRE 1.4.2_05 and older -- and Firefox users can be infected.
Dan, what do you refer to exactly ?
Secunia refers to Trojan.ByteVerify only as the trojan that exploits the MS03-011 vulnerability of the Microsoft JVM, no reference .
SUN too describes this as a Microsoft only vulnerability :
http://www.java.com/en/download/help/cache_virus.xml
" 1. Trojan.ByteVerify [...]
However, in this instance, storing these applets in the cache directory can not cause any harm to your computer because they are designed to exploit a vulnerability in the Microsoft VM, not the Sun JVM. "
I've been checking the list of corrections in that release, but still don't see what you could refer to :
http://java.sun.com/j2se/1.4.2/ReleaseNotes.html#142_06
There might be variants of trojan incorporating the ByteVerify attack, that also incorporate something else to attack the SUN JVM, but I stand by my word that the ByteVerify attack does not affects the SUN JVM.
Are you referring to the Sandbox Security Bypass Vulnerability ??? : http://secunia.com/advisories/13271/
Yes, I guess I am. Three to four weeks after that was announced we started seeing this exploited from some (apparently) Russian servers. My AV reported ByteVerify as did other brands, but the site did contain a whole gamut of exploits it would throw at different browsers and it's possible the AV report was about those.
The end result varied, it looked like different people modifed some common PoC code and used it to install different spyware payloads.
Firefox has many site-specific settings already (images, popups, xpinstall whitelisting, cookie blocking), I wouldn't say this is against anyone's philosophy. There are a lot of people wanting to control plugins/applets per site,
I referred not to per-site settings, but to per site security level.
The original poster wasn't asking for a per site security level, he wanted to control Java per site just as he can images. Doesn't matter why, letting people customize their view of web content is completely consistent with our philosophy.
When arguing with FF developpers that *properly* used signing for extensions would be better as a better security measure than xpinstall whitelisting, I was replied that xpinstall whitelisting is not intended to be a security measure strictly talking.
That last bit may have been me, though I would have used that to argue *for* signed installs and not against.
-Dan Veditz _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
