Hello, We have finally released the codes for security vulnerabilities in Java Virtual Machine implementations that were discussed in our Java/JVM security paper. They can be downloaded from the projects section of our website. There are two issues that should be cleared out with regard to the released codes. 1] The Bytecode Verifier vulnerability from March 2002 is only exploitable in Netscape on UNIX systems. This is due to the fact that runtime method invocation is done slightly different in JIT compiled code on Win32 and UNIX. So, in order to test this vulnerability on Win32 you need to disable JIT compiler first (remove jit3240.dll library from your Netscape installation directory). 2] The Symantec JIT compiler bug is only exploitable in Netscape on Win32/x86. Best Regards, Members of LSD Research Group http://lsd-pl.net
