All these platform-independent attacks are starting to get exhausting, no? Now that Adobe has come up with sandboxing for Reader and actually started responding to threats, it seems that the smart adversaries have moved to a new platform: Java. Stories are below, mostly deriving from Microsoft's latest Intelligence Report (this one has a botnet focus - a topic on which they've invested a ton of resources).
If I understand this all correctly (never a safe bet), it seems these are actual attacks on Java, not on coding with Java. Ergo, this isn't something ESAPI can fix, but rather fundamental problems. What do you think? Overblown? Legit? Solutions forthcoming? The rise of Java exploits http://www.net-security.org/secworld.php?id=10014 Have you checked the Java? http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx Java: A Gift to Exploit Pack Makers http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/ Announcing Microsoft Security Intelligence Report version 9 http://blogs.technet.com/b/mmpc/archive/2010/10/13/announcing-microsoft-security-intelligence-report-version-9.aspx cheers, -ben -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] "I ran into Isosceles. He had a great idea for a new triangle!" Woody Allen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________