Re: [SC-L] By default, the Verifier is disabled on .Net and Java

Wall, Kevin wrote: Also, from the results of your test, it seems to indicate that SOME TYPE of verification is taking place, but if all you did was change a few ARBITRARY bytes in the .class file, I don't think that proves the byte code verifier is being being run in it's entirety. I agree

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

On 5/4/06, Dinis Cruz [EMAIL PROTECTED] wrote: Wall, Kevin wrote: Also, from the results of your test, it seems to indicate that SOME TYPE of verification is taking place, but if all you did was change a few ARBITRARY bytes in the .class file, I don't think that proves the byte code

[SC-L] HNS - Biggest X Window security hole since 2000

Stories about this (below) X bug and the DHS-sponsored project that found it have been floating around the net all week. This story caught my eye, though: http://www.net-security.org/secworld.php?id=3994 The author claims, This flaw, caused by something as seemingly harmless as a missing

Re: [SC-L] HNS - Biggest X Window security hole since 2000

On Thu, 4 May 2006, Kenneth R. van Wyk wrote: Stories about this (below) X bug and the DHS-sponsored project that found it have been floating around the net all week. This story caught my eye, though: http://www.net-security.org/secworld.php?id=3994 The author claims, This flaw, caused

Re: [SC-L] HNS - Biggest X Window security hole since 2000

On Thursday 04 May 2006 12:40, Gadi Evron wrote: Hmm, I think this was fixed in earlier X versions. Not impossible, but the article clearly indicated that it's in 6.9.0 and 7.0.0, which are the most current in general circulation, I believe. But, some bugs are so important that they deserved

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

Dinis Cruz wrote: Ok, I just did some further tests and I think I can say that Java (version 1.5.0_06) has similar verification issues to the ones I discovered on the .Net Framework (see links in my previous post). [...] This should prove that the verifier is not enabled by default on java

RE: [SC-L] By default, the Verifier is disabled on .Net and Java

$ java -cp . -noverify HelloWorld # # An unexpected error has been detected by HotSpot Virtual Machine: # # EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x6d7415fb, pid=3512, tid=2260 # # Java VM: Java HotSpot(TM) Client VM (1.5.0_06-b05 mixed mode) # Problematic frame: # V

RE: [SC-L] By default, the Verifier is disabled on .Net and Java

I'm psyched about this thread. Rock on guys. For those of you who may need some basics, you might want to read Securing Java (a book I wrote with Ed Felten in 1999...the first edition in 1996 was called Java Security). The book is available completely for free in searchable format at