Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Florian Weimer (fwdeneb.enyo.de)
Date: Wed Apr 14 2010 - 04:48:22 CDT
> So we released an exploit for Sami's new class of vulnerabilities in
> Java (which is awesome, btw - everyone should read that).
It's not a new class of bugs. This pattern (mentioned in the URL
| Based on my very brief analysis, Java 6 update fixes this problem by
| altering the Statement.invoke() to use the AccessControlContext
| captured at the moment of instantiation when it uses the reflection.
can be found throughout the JDK when certain callback schemes which
would otherwise act as a bypass for callstack-based security checks
But kudos to Sami for finding this new instance---I specifically
looked for such problems earlier this year, and didn't see this one.
Dailydave mailing list