[4596] in WWW Security List Archive

home help back first fref pref prev next nref lref last post

Re: Netscape Cache Virus

daemon@ATHENA.MIT.EDU (Bachtel)
Wed Feb 26 21:56:29 1997

From: "Bachtel" <rbachtel@ghgcorp.com>
To: www-security@ns2.rutgers.edu
Date: Wed, 26 Feb 1997 18:30:44 +0000
In-reply-to: <3.0.1.32.19970224162951.0068c174@ikx.org>
Errors-To: owner-www-security@ns2.rutgers.edu

Hmm, just out of curiousity (because I here a lot about 
Java/DirectX/HTML security flaws), is it theoretically possible for a 
Java program to somehow overflow a cache with valid ASM byte-codes, 
and transfer execution to them? I've heard that Java works off static 
storage, would this prevent this kind of exploit?

Regards,
Jeff Bachtel

> Well, java (IMHO) is not the most of secure languages, and it was shown
> earlier last year that it *is* possible to exploit the part of java that
> checks the byte-code in applets, which leads to the fact that an applet is
> possible of spreading a virus. However, I believe the bug has been fixed
> (correct?), and the situation in which it can be exploited are not the
> easiest of things to get. It is much more likely that you downloaded a
> program with a virus or somehow got a virus onto your system (borrowed any
> programs from a friend lately?) and that is how you are infected. Also, it
> would help if you could tell us how you got dcoo5.com? Is it part of a
> program you've installed? Did it just appear some day? It *is* possible for
> javascript to leak some securiy information about you without your
> knowledge (kinda), but not physically deal with stuff on the HD.
> 
> 
> 
>     ____      _  _      _  _      ____      __ _        
>     |--|   o  |\/|   o  |\/|   o  [__]   o  | \|     
>                                                      
>              a m m o n @ i k x . o r g               
>             i k x . o r g / ~ a m m o n              
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> "Everyone has a talent. What is rare is the courage to
> follow that talent to the dark place where it leads."
> 
> "A riot is the language of the unheard."
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> ___ __  __   __   __   __                              
>  | |__)  _) /__  /  \ /  \     take back alt.2600    
>  | |__) /__ \__) \__/ \__/  http://tb2600.home.ml.org
>
home help back first fref pref prev next nref lref last post