The primary difference is that JSON isn't considered executable-- at least not b... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		karlmdavis on Aug 27, 2012 \| parent \| context \| favorite \| on: New Java 0-day exploit spotted in the wild. The primary difference is that JSON isn't considered executable-- at least not by any Java JSON libraries that I've seen; it's just data. (Yes, non-executable data can still deliver a malicious payload, e.g. http://technet.microsoft.com/en-us/security/bulletin/ms04-02.... It's just much less common-- presumably because it's a much smaller attack surface.)

justincormack on Aug 27, 2012 [–]

you forget the time when json was usually called with exec...

But mostly it is buffer overflow bugs that get you now.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact