Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Microsoft Internet Explorer (IE) Java Class Loader Security Flaw Lets Remote Users Bypass Java Security Restrictions |
|---|
Categorie: Vulnerability
Posted: 2002-11-27 by ReCall
Views: 379
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: A vulnerability was reported in Microsoft Internet Explorer in the Java Virtual Machine (VM). A remote user can circumvent Java sandbox security controls and execute arbitrary code on the target user's system.
Last Stage of Delirium reported that there is a flaw in the protection of Class Loader objects provided in VM. A remote user can create a fully functioning instance of a Class Loader object from the untrusted code of a remote user's malicious applet.
A remote user can define a class that should not be permitted by the Bytecode Verifier. This class can invoke a default constructor of itself, which then calls another method of that class. In the second constructor, a call to a super class's method is made. This call is not permitted, as expected, because the remote user's code does not have the necessary privileges to create Class Loader objects. The result is a security exception. However, the security exception is caught by the code of the default constructor, and so the method is successful.
According to the report, the VM checks to make sure that the invocation of a super class constructor is not embedded within an exception handler. But the authors of the report found that the code does not properly check the case where a call to this initialization method is invoked.
For additional information on this flaw, see the original report at:
http://lsd-pl.net/java_security.html
The vendor has reportedly been notified.
[Editor's note: This flaw is in the Microsoft VM component of IE, which is also distributed separately. Because of that, we are issuing one alert for VM and another alert for IE to ensure that you do not miss this bug.]
Impact: A remote user can execute arbitrary code on the target user's computer with the privileges of the
target user.
Solution: No solution was available at the time of this entry.
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=383
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
