The tale of two plugins..
In the browser world, Java and Adobe look very similar. Not only are they similar in the kind of stuff they allow embedded applets/flash_Code to do, but also in the way its exploited to get out of the security container which anonymous code should never be able to do. So here are couple of interesting news items you should know more about...
Adobe revokes certificates: Some tools found in the wild were found to be signed with Adobe's signature which should have never leaked Adobe's infrastructure. Adobe had no option but to initiate the process to revoke the impacted signatures and are conducting forensics to understand what really happened and what else is exposed.
More Java holes reported: A number of readers alerted ISC of news reports stating that new "full sandbox escape" vulnerabilities had been reported to Oracle. At this point, there are no details available as to the nature of these vulnerabilities, and there is no evidence that any of these vulnerabilities are exploited. However, it is widely known that Oracle is working on a substantial backlog of these vulnerabilities. It is still recommended to use Java "with caution".
Adobe revokes certificates: Some tools found in the wild were found to be signed with Adobe's signature which should have never leaked Adobe's infrastructure. Adobe had no option but to initiate the process to revoke the impacted signatures and are conducting forensics to understand what really happened and what else is exposed.
More Java holes reported: A number of readers alerted ISC of news reports stating that new "full sandbox escape" vulnerabilities had been reported to Oracle. At this point, there are no details available as to the nature of these vulnerabilities, and there is no evidence that any of these vulnerabilities are exploited. However, it is widely known that Oracle is working on a substantial backlog of these vulnerabilities. It is still recommended to use Java "with caution".
Comments