Java Security


Verifier implementation bug

March 27, 1996


Researchers at Princeton recently found an implementation bug in the Java bytecode Verifier. The Verifier is a part of Java's runtime system which certifies that applets downloaded over the Internet adhere to Java's language safety rules. Through a sophisticated attack, a malicious applet can exploit this bug to delete a file or do other damage.

This is a serious bug, which JavaSoft engineers are actively addressing, working in collaboration with Netscape and other Java licensees. A fix is currently undergoing testing and review. It will be made available to our source licensees as soon as possible. This fix will be included in our next release of the Java Developer's Kit(JDK), which will be available in April.

In normal use of the JDK to develop Java applets and applications this problem does not arise. Developers can safely use the appletviewer as a way to view and test their own applets. They are warned, however, not to use the appletviewer to view potentially hostile, unknown applets.

Some key points about the bug:

We would like to thank the Internet community in general for helping us make the Internet more secure, and the Princeton team in particular for finding this implementation bug.


Frequently Asked Questions About Java Security


Copyright © 1996 Sun Microsystems, Inc., 2550 Garcia Ave., Mtn. View, CA 94043-1100 USA. All rights reserved.

Contact the Java developer community via the newsgroup comp.lang.java
or JavaSoft technical support via email to java@java.sun.com.

Send questions or comments about this web site to
webmaster@java.sun.com.

 Java