Secure Coding mailing list archives

Java: the next platform-independent target

From: Benjamin Tomhave <tomhave () secureconsulting net>
Date: Wed, 20 Oct 2010 09:54:01 -0400

All these platform-independent attacks are starting to get exhausting,
no? Now that Adobe has come up with sandboxing for Reader and actually
started responding to threats, it seems that the smart adversaries have
moved to a new platform: Java. Stories are below, mostly deriving from
Microsoft's latest Intelligence Report (this one has a botnet focus - a
topic on which they've invested a ton of resources).

If I understand this all correctly (never a safe bet), it seems these
are actual attacks on Java, not on coding with Java. Ergo, this isn't
something ESAPI can fix, but rather fundamental problems. What do you
think? Overblown? Legit? Solutions forthcoming?

The rise of Java exploits
http://www.net-security.org/secworld.php?id=10014

Have you checked the Java?
http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx

Java: A Gift to Exploit Pack Makers
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

Announcing Microsoft Security Intelligence Report version 9
http://blogs.technet.com/b/mmpc/archive/2010/10/13/announcing-microsoft-security-intelligence-report-version-9.aspx

cheers,

-ben

--
Benjamin Tomhave, MS, CISSP
tomhave () secureconsulting net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
"I ran into Isosceles. He had a great idea for a new triangle!"
Woody Allen

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Java: the next platform-independent target Benjamin Tomhave (Oct 20)
- Re: Java: the next platform-independent target ljknews (Oct 20)
- Re: Java: the next platform-independent target James Manico (Oct 21)
  - Re: Java: the next platform-independent target Steven M. Christey (Oct 21)
    - Re: Java: the next platform-independent target Jim Manico (Oct 21)
    - Re: Java: the next platform-independent target Kevin W. Wall (Oct 22)
    - Re: Java: the next platform-independent target Martin Gilje Jaatun (Oct 25)
    - Re: Java: the next platform-independent target Kevin W. Wall (Oct 26)
    - Re: Java: the next platform-independent target Steven M. Christey (Oct 24)
- Message not available
  - Re: Java: the next platform-independent target Wall, Kevin (Oct 21)