Re: Java: the next platform-independent target

[ljknews <ljknews () mac com>]

At 9:54 AM -0400 10/20/10, Benjamin Tomhave wrote:

> All these platform-independent attacks are starting to get exhausting,
> no? Now that Adobe has come up with sandboxing for Reader and actually
> started responding to threats, it seems that the smart adversaries have
> moved to a new platform: Java. Stories are below, mostly deriving from
> Microsoft's latest Intelligence Report (this one has a botnet focus - a
> topic on which they've invested a ton of resources).
>
> If I understand this all correctly (never a safe bet), it seems these
> are actual attacks on Java, not on coding with Java.

I have followed the URLs you cite, and found absolutely nothing
to indicate there is a problem with Java as a programming language.

The troubles are with the Java Runtime Engine, and have nothing to
do with programs compiled from Java straight to object code and
then linked into an executable image.

This is just one symptom of the generalized problem of Mobile
Code.  That is what NIST Control SC-18 is all about, and likewise
US DoD DCMC-1.
-- 
Larry Kilgallen
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________