Hi Kevin
Indeed this is somewhat surprising that there is no byte-code
verification
in place, especially for strong typing, since when you think about it,
this is not too different than the "unmanaged" code case.
Well there is some byte coding verification. For example if you
Hi Jeff, comments inline
Jeff Williams wrote:
Great topics.
I'm a huge fan of sandboxes, but Dinis is right, the market hasn't really
gotten there yet. No question that it would help if it was possible to run
complex software like a browser inside a sandbox that restricted its ability
to do
of creating a
full-featured
browser, from scratch, with usability as good as IE
and Firefox
strikes me as a fairly tricky project.
I agree.
What about
using the
facilities already provided by the OS to enforce the
sandbox?
But then will it be possible to prevent buffer
overflows,
At least one aspect of that is a design defect in TCP/IP, allowing
unprivileged users to create a port to receive inbound connections.
I don't think it's fair to call that any kind of defect in TCP/IP.
There is nothing at all in TCP or IP that says anything whatsoever
about what privilege may
At 2:34 AM +0100 3/27/06, Dinis Cruz wrote:
PS: For the Microsofties that are reading this (if any) sorry for
the irony and I hope I am not offending anyone, but WHEN are you going
to join this conversion? (i.e. reply to this posts)
I can only see 4 reasons for your silence: a) you
A Corsaire White Paper:
A Modular Approach to Data Validation in Web Applications
Outline:
Data that is not validated or poorly validated is the root cause of a
number of serious security vulnerabilities affecting applications.
This paper presents a modular approach to performing thorough
Isn't it possible to break out of the sandbox even with managed code? (That is,
can't
managed code call out to unmanaged code, i.e. Java call to C++)? I was
thinking this was
documented for Java - perhaps for various flavors of .Net too?
---
Michael S Hines
On 27 Mar 2006, at 11:02, Jeff Williams wrote:
I am not a Java expert, but I think that the Java Verifier is NOT
used on
Apps that are executed with the Security Manager disabled (which I
believe
is the default setting) or are loaded from a local disk (see ...
applets
loaded via the
Dinis Cruz said:
Another day, and another unmanaged-code remote command execution in IE.
What is relevant in the ISS alert (see end of this post) is that IE 7
beta 2 is also vulnerable, which leads me to this post's questions:
1) Will IE 7.0 be more secure than IE 6.0 (i.e. will after 2 years