Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
Well, yes .... but.
Once upon a time, the germ Theory of Disease was treated with disdain despite evidence:
Despite various publications of results where hand-washing reduced
mortality to below 1%, Semmelweis's observations conflicted with the
established scientific and medical opinions of the time and his ideas
were rejected by the medical community. Some doctors were offended at
the suggestion that they should wash their hands
Yes, analogies are flawed and limited. All analogies break down if taken to their limits or examined by experts But analogies are useful in quickly conveying a very basic level of understanding to people who are neither medical professionals nor technology / security professionals.
Take "Joe Sixpack" for example, a regular, non-medical, non-technical computer user. The one who bought his computer at Wal-mart. You know, the one with the password that's in the top 10 most common and hasn't changed it since he bought the machine. And lets face it, he doesn't know the difference between a virus, a microbe and a bacteria. When he falls ill he's come down with a "bug". His computer has "bugs" as well.
Perhaps its not simply the case that Joe Sixpack takes offence at the idea that there are some sites he should not visit, that some of his favourite - cough, cough - sites are sources of malware infections, even if he does disable the aggressive pop-ups they use. But lets face it, there are many egregious practices Joe Sixpack engages in, most notably that of getting drunk and driving. The statistics for DUI on Friday and Saturday nights are horrific and have been for a long time.
Good risk management practice involves many factors, the cost of the risk and how easy it is to mitigate it.
This one is easy to mitigate, but there are still going to be end users who have very specific web-based applications. After all, the pressure is on to move to web based applications to support netbooks, tablets and smartphones. Then there's Chromebooks.
It seems that Microsoft, Google, Amazon and others see connectivity and web based applications and storage as the future; after all, popular tablets like the Nexus 7 don't have a SD card slot! Amazon and others have clearly adopted "Software as a Service" approach.
On top of this, I'm beginning to see articles on-line about the "security of the cloud" and how supplies and service organizations can't offer an adequate level of security.
I think its going to get worse before it gets better. Like so many things in public life, its going to take a few disasters, perhaps even loss of life, before people wise up. Maybe not even then; the statistics on DUI mortality aren't hopeful either. Its been a long and slow battle.
In many ways, AV products are a form of religion, a cargo-cult. But that's a subject for another article.
- VU#625617: Java 7 Update 10 remote code execution vulnerability (kb.cert.org)
- 'Java is a mess. It's not secure. You have to disable it' (ibnlive.in.com)
- Sharing a Mind Map: Using the Best of Mobile and Web Featuressil (packtpub.com)
- Experts Warn Users to Disable Oracle's Widely Used Java Software (blogs.kqed.org)
- Critical Java vulnerability made possible by earlier incomplete patch (arstechnica.com)
- US warns on Java software as security concerns escalate (nbcnews.com)
- Java Recommended To Be Disabled Because of New Exploit (tomshardware.com)
- Experts urge PC users to disable Java, cite security flaw (smh.com.au)
- Security Firms Recommend Disabling Java Due To New Exploit (toast.net)