1996-04-02 - RE: Java flaw is in bytecode verifier

Header Data

From: Steve Gibbons <steve@aztech.net>
To: hfinney@shell.portal.com
Message Hash: ad2a6a2a62ad83d318f585fd656f415230518a276acb3724548074f7857e0e3d
Message ID: <009A03A6.DE3AF020.818@aztech.net>
Reply To: N/A
UTC Datetime: 1996-04-02 13:06:29 UTC
Raw Date: Tue, 2 Apr 1996 21:06:29 +0800

Raw message

From: Steve Gibbons <steve@aztech.net>
Date: Tue, 2 Apr 1996 21:06:29 +0800
To: hfinney@shell.portal.com
Subject: RE: Java flaw is in bytecode verifier
Message-ID: <009A03A6.DE3AF020.818@aztech.net>
MIME-Version: 1.0
Content-Type: text/plain


In Article: <199604020006.QAA21649@jobe.shell.portal.com>, Hal <hfinney@shell.portal.com> wrote:
# From http://java.sun.com/sfaq/960327.html:
# > Researchers at Princeton recently found an implementation bug in the Java
# > bytecode Verifier. The Verifier is a part of Java's runtime system which
# > certifies that applets downloaded over the Internet adhere to Java's
# > language safety rules. Through a sophisticated attack, a malicious applet
# > can exploit this bug to delete a file or do other damage.

# This is one of the more worrisome places for a bug to exist.  Much of
# Java's security rests in the claim that it can screen for and detect bad
# bytecode sequences.  This screening code is extremely critical for Java
# security and I am surprised to see that it was implemented in a flawed
# manner.

# I've been writing Java quite a bit in the last couple of weeks, and I
# find that I have crashed my browser, whether Netscape or appletviewer,
# many times.  Granted some of my code has been pretty buggy, but it's
# still not supposed to crash the browser.  Obviously some of the runtime
# checks are not being done properly.  I had expected that the bug would
# be in these areas, something like the stack overflows that we have seen
# cause problems in the past.  A simple error in the bytecode verifier
# (if that is what this really is) seems like a more fundamental security
# flaw.

# The researchers have still not released full details on the bug, although
# they had planned to do so by the end of March.  Maybe they are waiting
# for the fix to be distributed.

As I keep saying (multiple times, in multiple forums) "Java is still in
Beta-Test."  Sun acks/grocks this, although Netscape ships most of their
production-level browsers with Java enabled by default.

The primary reason for releasing beta software is to catch any discrepancies
between the documented behaviour and the implimented behaviour of a product.
Bugs WILL be found in beta testing.

To reiterate: "If you insist on being on the bleeding edge, you WILL bleed."

This has been a test of the emergency reality-check service.
Had this been a real reality-check, the software in question would be labeled
"golden" and you would be provided with a "support@foo.bar.com" email address
to contact for your product.

Again this is only a test, and is (as such) non flamable.  Any party that might
take offense to this message should re-read the contents of the message, and
either A) re-evaluate their perception of it, or B) re-evaluate their
practices.

--
Steve@AZTech.Net





Thread