All these platform-independent attacks are starting to get exhausting,
no? Now that Adobe has come up with sandboxing for Reader and actually
started responding to threats, it seems that the smart adversaries have
moved to a new platform: Java. Stories are below, mostly deriving from
Microsoft's latest Intelligence Report (this one has a botnet focus - a
topic on which they've invested a ton of resources).
If I understand this all correctly (never a safe bet), it seems these
are actual attacks on Java, not on coding with Java. Ergo, this isn't
something ESAPI can fix, but rather fundamental problems. What do you
think? Overblown? Legit? Solutions forthcoming?
The rise of Java exploits
http://www.net-security.org/secworld.php?id=10014
Have you checked the Java?
http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
Java: A Gift to Exploit Pack Makers
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
Announcing Microsoft Security Intelligence Report version 9
http://blogs.technet.com/b/mmpc/archive/2010/10/13/announcing-microsoft-security-intelligence-report-version-9.aspx
cheers,
-ben
--
Benjamin Tomhave, MS, CISSP
tomh...@secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave
[ Random Quote: ]
"I ran into Isosceles. He had a great idea for a new triangle!"
Woody Allen
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___