David H. Lipman wrote:


> | But what we can tell for sure is that the owner is horribly stupid. The Byte
> | Verifier vulnerability was, well, Java JDK 1.1? Even the similiar-to-Java-
> | but-not-actually-Java-VM that Microsoft shipped with Windows 2000 and XP was
> | already at JDK 1.2 level, not vulnerable to this thing.
> |
> | I still wonder how this thing is still in usage, even though the most stupid
> | bad guy would recognize an infection rate of essentially zero.
>
> Exploit-ByteVerify is rather generic. Many newer versions of Sun Java were also vulnerable.


Hm? I've followed through the release notes of every version of Sun's Java
VM since JDK 1.2 and I'm very sure that they never mentioned any security
vulnerability in the bytecode verifier. Not even after they changed the
class format for helping implement the much simpler and more secure
SSA-based verifier.

> There have been many variants to ByteVerify and they seem to increase.

According to my analysis, it's the same old disfunctional crap from '98.