In March 1997, Sun announced the discovery and eradication of a bug in the Verifier of the JDK. The bug was present in all Java VMs, and Sun shipped a patch to Java licensees. Sun claimed that the bug was discovered by the engineering team during a standard security audit and was fixed within 24 hours of discovery.
No attack based on this bug was ever devised. In fact, very little information about the fix was disseminated publicly. Statements made by Sun to the press emphasized the complexity of an exploit. Realistically, it sounds like the problem was similar to the You're Not My Type problem-an attacker would need to create malicious byte code to exploit the problem.
We found it a bit peculiar that Sun announced the discovery of a flaw in the Verifier and the dissemination of a patch to vendors. We speculate that someone outside of Sun had discovered the problem and Sun decided to announce the flaw before the discoverer did.
Copyright ©1999 Gary McGraw and Edward Felten.