Charles Miller: The problem, described in the talk the exploit was first raised in — Marshalling Pickles — is that arbitrary object deserialization (or marshalling, or un-pickling, whatever your language calls it) is inherently unsafe, and should never be performed on untrusted data.[…]This means that if there is any object reachable from your runtime that … Continue reading The Java Deserialization Bug and NSSecureCoding