This post originated from an RSS feed registered with .NET Buzz by Christian Weyer. Original Post: Security issues: eye-opening but sad Feed Title: Christian Weyer: Web Services & .NET Feed URL: http://www.asp.net/err404.htm?aspxerrorpath=/cweyer/Rss.aspx Feed Description: Philosophizing about and criticizing the brave new world ... Latest .NET Buzz Posts Latest .NET Buzz Posts by Christian Weyer Latest Posts From Christian Weyer: Web Services & .NET

It is not always and not only Microsoft - but we should not be 'happy' about such announcements. They just show that there is *no* secure piece of software out there and anywhere (whatever secure means ...). Period.:

Cross-Site Java breaks Sandbox Isolation for Unsigned Applets
=====================================

Product  : Java Plugin
Version  : 1.4.2_01
OS       : Win32 (should apply for other OSs too)
URL      : http://java.sun.com
Found by : Marc Schoenefeld (marc illegalaccess org)
Date     : 10/21/03

PROBLEM DESCRIPTION :
Cross-Site Java
Unsigned applets coming from different sites may share data areas via
undocumented static variables of the jdk. While altering these variables
JDK internal states may become corrupt and functionality is no longer. This
especially concerns XML processing which depends on the
org.apache.xalan.processor.XSLProcessorVersion class.
This behavior violates the isolation restriction of the sandbox.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Two applets,
- one on siteA: www.siteA.org => Read.html / ReadApplet.class
- one on siteB: www.siteB.org => Write.html / WriteApplet.class

Applet from siteB can share a variable also accessible (read and write)
which is used by siteA. So data protection is not guaranteed, an unsigned
applet may grab data stored in this variable by a signed applet
or interfere it's XML processing and therefore violates the isolation
restriction of the sandbox.