New Java 0-day exploit spotted in the wild.

[karlmdavis]

The primary difference is that JSON isn't considered executable-- at least not by any Java JSON libraries that I've seen; it's just data.

(Yes, non-executable data can still deliver a malicious payload, e.g. http://technet.microsoft.com/en-us/security/bulletin/ms04-02.... It's just much less common-- presumably because it's a much smaller attack surface.)

[justincormack]

you forget the time when json was usually called with exec...

But mostly it is buffer overflow bugs that get you now.