Sunday, January 24, 2010

2009 In Review

A little late, but nevertheless, a summary of what happened in security relating to me in 2009:


In other words, the Calendar Deserialization issue. It was fixed by Sun Microsystems in 2008, but it still got a lot of attention in 2009:

In March, Julien Tinnes used his exploit of it in the CanSecWest Pwn2own competition, only to be disqualified, because we both had tipped Sun and Apple about the issue.

In May, Julien wrote an excellent bit on the vulnerability on his blog and also about the fact that Apple still hasn't fixed it. Landon Fuller also posted a proof-of-concept implementation of the exploit in an attempt to get Apple's attention to it. All this created quite the buzz, and a lot of articles were written on the topic. My personal favorite was this funny arcticle by Angela Gunn on

In mid-June, Apple released a security update for it's Java that fixed the issue in OSX.

In July, it was nominated for The Best Client-Side Bug Pwnie (didn't unfortunately win, though).

Still at the end of the year, it gained attention because of various exploit kits using it as a vector to infect people who hadn't updated their Java.


CVE-2009-2670 was fixed by Sun Microsystems in August, as a part of Java SE 6 Update 15. It's a cute little vulnerability which allows read access to Java System properties and one of the first one's ever found by me.

Zero Day Initiative

I started collaborating with ZDI in 2009 and it's been extremely satisfactory so far. Some of the fruits of this cooperation can be observed in the upcoming advisories section of their site:
ZDI-CAN-552, ZDI-CAN-603, ZDI-CAN-588, ZDI-CAN-623, ZDI-CAN-628, ZDI-CAN-667


I was going to look into working with VeriSign's iDefense program as well, but the link for the zip with additional information on their new user page has been pointing to a 404 since at least september. I tried emailing them in mid-september, but finally gave up.


Otto said...

Very interesting. Just curious: how did you find those flaws/vulnerabilities?

Was it a coincidence or you were actually looking for them? If you were searching, could you be more specific?

Thank you.

Sami Koivu said...

Thanks. Actually it's a wild mixture of a little bit of everything.

Some were coincidence.

Some were conceptual flaws that I perceived while studying the security architecture.

Some were results of simple code reviews of security sensitive classes.

I've also read the Java sources quite a bit over the years if for no other reason than to learn; there is some beautiful code in there.

I know the class file binary format by heart because I worked on a java "reverse engineering" project for a some time, and I know the serialization protocol and process because I was working on an editor for serialized data. And those things also help a lot.

I've also written quite a few simple scripts that go through all the core Java classes and look for Classes/Methods/Fields with certain characteristics.

I've used jmap/jhat (commands that come with JDK) extensively to analyse how to obtain references to certain objects.

I've covered the security quite a bit in previous posts and I'm trying to finish one more post on that subject and those posts give some answers to your question. But to give a very concise answer to your qustion, I guess the most straight-forward way is: Finding all the places where AccessController.doPrivileged is called in Sun code, and review those bits to see where the execution of that code can be manipulated by things one can control(controlling input, fields, overwriting methods, extending classes, deserialization/serialization, etc).

Otto said...

Thanks for you answer. What about Oracle, Microsoft and others? You didn't have any source code to look.