Re: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-04 Thread Dinis Cruz
Wall, Kevin wrote: Also, from the results of your test, it seems to indicate that SOME TYPE of verification is taking place, but if all you did was change a few ARBITRARY bytes in the .class file, I don't think that proves the byte code verifier is being being run in it's entirety. I agree

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-04 Thread Michael Silk
On 5/4/06, Dinis Cruz [EMAIL PROTECTED] wrote: Wall, Kevin wrote: Also, from the results of your test, it seems to indicate that SOME TYPE of verification is taking place, but if all you did was change a few ARBITRARY bytes in the .class file, I don't think that proves the byte code

[SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Kenneth R. van Wyk
Stories about this (below) X bug and the DHS-sponsored project that found it have been floating around the net all week. This story caught my eye, though: http://www.net-security.org/secworld.php?id=3994 The author claims, This flaw, caused by something as seemingly harmless as a missing

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Gadi Evron
On Thu, 4 May 2006, Kenneth R. van Wyk wrote: Stories about this (below) X bug and the DHS-sponsored project that found it have been floating around the net all week. This story caught my eye, though: http://www.net-security.org/secworld.php?id=3994 The author claims, This flaw, caused

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Kenneth R. van Wyk
On Thursday 04 May 2006 12:40, Gadi Evron wrote: Hmm, I think this was fixed in earlier X versions. Not impossible, but the article clearly indicated that it's in 6.9.0 and 7.0.0, which are the most current in general circulation, I believe. But, some bugs are so important that they deserved

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-04 Thread David Eisner
Dinis Cruz wrote: Ok, I just did some further tests and I think I can say that Java (version 1.5.0_06) has similar verification issues to the ones I discovered on the .Net Framework (see links in my previous post). [...] This should prove that the verifier is not enabled by default on java

RE: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-04 Thread Tim Hollebeek
$ java -cp . -noverify HelloWorld # # An unexpected error has been detected by HotSpot Virtual Machine: # # EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x6d7415fb, pid=3512, tid=2260 # # Java VM: Java HotSpot(TM) Client VM (1.5.0_06-b05 mixed mode) # Problematic frame: # V

RE: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-04 Thread Gary McGraw
I'm psyched about this thread. Rock on guys. For those of you who may need some basics, you might want to read Securing Java (a book I wrote with Ed Felten in 1999...the first edition in 1996 was called Java Security). The book is available completely for free in searchable format at

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-04 Thread Dinis Cruz
Jeff Williams wrote: Two important clarifications for Java (based on my experiments): 1) The verifier IS enabled for the classes that come with the Java platform, such as those in rt.jar. So, for example, if you create a class that tries to set System.security (the private