

Java browser plugin now the most exploited in vuln packs - bl4k
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

======
badmash69
This article is short on facts and big on scaremongering hype. Just because
script kiddies are purchasing malware toolkits which as some java stuff as a
feature does not make JVM plug-in the "most exploited".

The last known vulnerability in JVM was discovered and patched almost a year
ago. These issues are addressed in the following releases: JDK and JRE 6
Update 17 JDK and JRE 5.0 Update 22 SDK and JRE 1.4.2_24 SDK and JRE 1.3.1_27

If you are concerned about security, instead of reading this guy's uninformed
blog, read this instead:

McAfee Threat Center : <http://mcafee.com/us/threat_center/default.asp>

Symantec :
[http://us.norton.com/security_response/threatexplorer/index....](http://us.norton.com/security_response/threatexplorer/index.jsp)

~~~
bl4k
I agree with you, but as the comment above pointed out for various reasons JVM
updates lag in the enterprise. One of those screens had a table of JVM version
numbers and a large slice were old installs.

It isn't really Sun/Oracle's fault, since they provide a decent updater.

OTOH, the number of these malware toolkits and the penetration rates they seem
to achieve is just remarkable. I love the toolkit that had the 'now compatible
with windows 7' logo in the admin screen.

------
16s
One huge issue is that many enterprise apps are only certified to run on older
JREs. So updating the JRE will break the application and put you in
"unsupported mode" with the application vendor. So companies must stay at
version 1.6.9 (or whatever).

