Ben, These threats are only relevant for client-side Java, for the most part.
It's my opinion that all enterprises should remove Java from all clients. Java is most commonly deployed server-side which has a completely different threat model than client side Java. A lot of smart people disagree with me here - but the history of Java sandbox problems, data theft though reflection, the weak security policy mechanism, etc, backs up my recommendation. Oracle is one of the most irresponsible large technical companies from a product security perspective, so I have no hope that this will get better. Abort Java on the client, and please support forking Java. - Jim -----Original Message----- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Benjamin Tomhave Sent: Wednesday, October 20, 2010 7:24 PM To: SC-L@securecoding.org Subject: [SC-L] Java: the next platform-independent target All these platform-independent attacks are starting to get exhausting, no? Now that Adobe has come up with sandboxing for Reader and actually started responding to threats, it seems that the smart adversaries have moved to a new platform: Java. Stories are below, mostly deriving from Microsoft's latest Intelligence Report (this one has a botnet focus - a topic on which they've invested a ton of resources). If I understand this all correctly (never a safe bet), it seems these are actual attacks on Java, not on coding with Java. Ergo, this isn't something ESAPI can fix, but rather fundamental problems. What do you think? Overblown? Legit? Solutions forthcoming? The rise of Java exploits http://www.net-security.org/secworld.php?id=10014 Have you checked the Java? http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-ja va.aspx Java: A Gift to Exploit Pack Makers http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/ Announcing Microsoft Security Intelligence Report version 9 http://blogs.technet.com/b/mmpc/archive/2010/10/13/announcing-microsoft-se curity-intelligence-report-version-9.aspx cheers, -ben -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] "I ran into Isosceles. He had a great idea for a new triangle!" Woody Allen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
