Re: [SC-L] Java: the next platform-independent target

2010-10-20 Thread ljknews 
At 9:54 AM -0400 10/20/10, Benjamin Tomhave wrote:

> All these platform-independent attacks are starting to get exhausting,
> no? Now that Adobe has come up with sandboxing for Reader and actually
> started responding to threats, it seems that the smart adversaries have
> moved to a new platform: Java. Stories are below, mostly deriving from
> Microsoft's latest Intelligence Report (this one has a botnet focus - a
> topic on which they've invested a ton of resources).
> 
> If I understand this all correctly (never a safe bet), it seems these
> are actual attacks on Java, not on coding with Java.

I have followed the URLs you cite, and found absolutely nothing
to indicate there is a problem with Java as a programming language.

The troubles are with the Java Runtime Engine, and have nothing to
do with programs compiled from Java straight to object code and
then linked into an executable image.

This is just one symptom of the generalized problem of Mobile
Code.  That is what NIST Control SC-18 is all about, and likewise
US DoD DCMC-1.
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Java: the next platform-independent target

2010-10-20 Thread Benjamin Tomhave 
All these platform-independent attacks are starting to get exhausting,
no? Now that Adobe has come up with sandboxing for Reader and actually
started responding to threats, it seems that the smart adversaries have
moved to a new platform: Java. Stories are below, mostly deriving from
Microsoft's latest Intelligence Report (this one has a botnet focus - a
topic on which they've invested a ton of resources).

If I understand this all correctly (never a safe bet), it seems these
are actual attacks on Java, not on coding with Java. Ergo, this isn't
something ESAPI can fix, but rather fundamental problems. What do you
think? Overblown? Legit? Solutions forthcoming?

The rise of Java exploits
http://www.net-security.org/secworld.php?id=10014

Have you checked the Java?
http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx

Java: A Gift to Exploit Pack Makers
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

Announcing Microsoft Security Intelligence Report version 9
http://blogs.technet.com/b/mmpc/archive/2010/10/13/announcing-microsoft-security-intelligence-report-version-9.aspx

cheers,

-ben

-- 
Benjamin Tomhave, MS, CISSP
tomh...@secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
"I ran into Isosceles. He had a great idea for a new triangle!"
Woody Allen

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___