in reply to 

>Dinis Cruz dinis at
>Sun May 14 03:40:20 EDT 2006
>So in an environment where you have a solid Security
Policy (enforced by 
>a Security Manager) but the verifier is NOT enabled,
then to jump out of 
>the sandbox all that you need to do is to create a
Type Confusion 
>exploit that allows you to access a private member
that either: calls 
>the protected resource directly or disables the
Security Manager (which 
>based on the description provided is the demo that I
think Ed Felten did).

I guess this is exactly the logic that was behind the
implementation decision that by default 

Code isn't verified when and only when it is granted
"All Permissions" 

mentioned here

Though the post at the link avove talks only about
boot strap classes, i guess this policy is now
implemented across the whole JVM (obviously some
digging through the java sources would be needed to
confirm this)

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -

Reply via email to