http://www.kb.cert.org/vuls/id/625617
Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.
Well, yes .... but.
Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.
There are "good" mailing lists and "not so good" mailing lists from the point of view of security.
Try posting HTML mail to a "good" and one of two things will happen.
- If you have a mailer that includes the plain text then the list
software will discard that, forward the plain text to the list
with a message reading
[Non-text portions of this message have been removed]
I'm sure you've seen that message in posts on yahoogroups and similar.
- If you have a mailer that doesn't include the plain text
then one of two things may happen:
- The plain text version is displayed, but being null the text that appears is
empty, but you still get
[Non-text portions of this message have been removed]
I'm sure you've seen that too.
- The list software does its best to convert the html to plain text by stripping
off the html tags. This works, but may
produce some odd results. However you still get
[Non-text portions of this message have been removed]