# Tuesday, 27 July 2010
« IKVM.NET 0.44 Release Candidate 1 | Main | IKVM.NET 0.44 Release Candidate 2 »
IKVM.NET Security Update

Potential Security Vulnerability

There is a bug IKVM's implementation of java.lang.reflect.Field.set(). The dynamic method that is generated doesn't properly cast the value to the type of the field. This is obviously a bug, but it could also lead to a type safety vulnerability. It is not directly exploitable, because the unverifiable dynamic method will do a full trust security demand and when there is partially trusted code on the stack, that will fail.

However, if you have any code that indirectly exposes Field.set() to untrusted code, it may be exploitable. In particular, the following scenarios warrant careful attention:

  • Having an assembly in the GAC that has the AllowPartiallyTrustedCallerAttribute and exposes Field.set() functionality to partially trusted callers and uses a security assert to stop the stack walk.
  • If you load partially trusted code in your application and your code uses Field.set() on values controlled by the partially trusted code, without any partially trusted code being directly on the stack.
  • If you process data or a (lightweight) scripting language that somehow exposes Field.set() functionality to untrusted data/code.

Affected Versions

IKVM.NET version 0.38, 0.40, 0.42 and 0.44 are affected. Version 0.36 and earlier are not affected.


There is an update of IKVM.NET 0.42, earlier versions will not be updated and there will be a new 0.44 release candidate later today.

IKVM.NET 0.42 Update 2


  • Updated version to
  • Fixed Field.set() bug #3033769.

Binaries available here: ikvmbin-

Sources: ikvm-, openjdk6-b16-stripped.zip


Thanks to Dawid Weiss for reporting this issue.

Tuesday, 27 July 2010 08:57:38 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Comment (HTML not allowed)  

Live Comment Preview