[SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-15 Thread j lunerwood
in reply to Dinis Cruz dinis at ddplus.net Sun May 14 03:40:20 EDT 2006 ...skipped... So in an environment where you have a solid Security Policy (enforced by a Security Manager) but the verifier is NOT enabled, then to jump out of the sandbox all that you need to do is to create a Type

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-15 Thread leichter_jerrold
| Kevin is correct, a type confusion attack will allow the bypass of the | security manager simply because via a type confusion attack you will be able | to change what the security manager is 'seeing' | | So in an environment where you have a solid Security Policy (enforced by a |

[SC-L] New podcast (sneak preview)

2006-05-15 Thread Gary McGraw
Hi all, Tomorrow, we'll announce the existence of the Silver Bullet Security Podcast with Gary McGraw. Woo hoo. The first interview is with Avi Rubin. This activity is sponsored by IEEE SP Magazine...who by now all sc-l readers should know well! See www.cigital.com/silverbullet Hope