Log4Shell

Java versions 15, 16, 17, and 18 (and maybe some older versions) have a big problem, ECDSA signature verification is totally broken. The story is a prime example of the dangers of unintended consequences, the pitfall of rolling your own crypto, and why to build a test suite for important code. In Java 15, the ECDSA verification code was re-written, moving the code from C++ to a Java-native implementation. The new code misses an important check, that the initialization and proof values are both non-zero.

Continue reading “This Week In Security: Java’s Psychic Signatures, AWS Escape, And A Nasty Windows Bug” →

Hackaday

1 Articles

This Week In Security: Java’s Psychic Signatures, AWS Escape, And A Nasty Windows Bug

Search

Never miss a hack

If you missed it

Mining And Refining: Uranium And Plutonium

Programming Ada: First Steps On The Desktop

The Hunt For MH370 Goes On With Barnacles As A Lead

MXM: Powerful, Misused, Hackable

VCF East 2024 Was Bigger And Better Than Ever

Our Columns

Supercon 2023: Alex Lynd Explores MCUs In Infosec

FLOSS Weekly Episode 780: Zoneminder — Better Call Randal

Slicing And Dicing The Bits: CPU Design The Old Fashioned Way

Hackaday Links: April 21, 2024

The Long And The Short Of It

Search

Never miss a hack

Subscribe

If you missed it

Our Columns