Re: Java: the next platform-independent target

[James Manico <jim () manico net>]

Ben,

These threats are only relevant for client-side Java, for the most part.

It's my opinion that all enterprises should remove Java from all clients.
Java is most commonly deployed server-side which has a completely
different threat model than client side Java.

A lot of smart people disagree with me here - but the history of Java
sandbox problems, data theft though reflection, the weak security policy
mechanism, etc, backs up my recommendation. Oracle is one of the most
irresponsible large technical companies from a product security
perspective, so I have no hope that this will get better. Abort Java on
the client, and please support forking Java.

- Jim

-----Original Message-----
From: sc-l-bounces () securecoding org [mailto:sc-l-bounces () securecoding org]
On Behalf Of Benjamin Tomhave
Sent: Wednesday, October 20, 2010 7:24 PM
To: SC-L () securecoding org
Subject: [SC-L] Java: the next platform-independent target

All these platform-independent attacks are starting to get exhausting,
no? Now that Adobe has come up with sandboxing for Reader and actually
started responding to threats, it seems that the smart adversaries have
moved to a new platform: Java. Stories are below, mostly deriving from
Microsoft's latest Intelligence Report (this one has a botnet focus - a
topic on which they've invested a ton of resources).

If I understand this all correctly (never a safe bet), it seems these
are actual attacks on Java, not on coding with Java. Ergo, this isn't
something ESAPI can fix, but rather fundamental problems. What do you
think? Overblown? Legit? Solutions forthcoming?

The rise of Java exploits
http://www.net-security.org/secworld.php?id=10014

Have you checked the Java?
http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-ja
va.aspx

Java: A Gift to Exploit Pack Makers
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

Announcing Microsoft Security Intelligence Report version 9
http://blogs.technet.com/b/mmpc/archive/2010/10/13/announcing-microsoft-se
curity-intelligence-report-version-9.aspx

cheers,

-ben

-- 
Benjamin Tomhave, MS, CISSP
tomhave () secureconsulting net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
"I ran into Isosceles. He had a great idea for a new triangle!"
Woody Allen

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________