At 9:54 AM -0400 10/20/10, Benjamin Tomhave wrote: > All these platform-independent attacks are starting to get exhausting, > no? Now that Adobe has come up with sandboxing for Reader and actually > started responding to threats, it seems that the smart adversaries have > moved to a new platform: Java. Stories are below, mostly deriving from > Microsoft's latest Intelligence Report (this one has a botnet focus - a > topic on which they've invested a ton of resources). > > If I understand this all correctly (never a safe bet), it seems these > are actual attacks on Java, not on coding with Java.
I have followed the URLs you cite, and found absolutely nothing to indicate there is a problem with Java as a programming language. The troubles are with the Java Runtime Engine, and have nothing to do with programs compiled from Java straight to object code and then linked into an executable image. This is just one symptom of the generalized problem of Mobile Code. That is what NIST Control SC-18 is all about, and likewise US DoD DCMC-1. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
