

Javocalypse - timf
http://blog.cr0.org/2010/04/javacalypse.html

======
bilbo0s
I love all these 'embarrassingly trivially exploitable issues' that require me
to set up my machine in just the right way to make them work. And for all that
effort, you can't even own the machine using the exploit.

What has it been? 15 years? and this is the best they can come up with for
java security holes?

You know, I don't like java, but the more stuff like this I read, the more I
have to admit that it is smart for enterprises to use it so heavily.

An interesting comparison might be to look at the number of java security
holes vs activex vs windowsxp vs apache vs iis vs php vs ruby vs (you get the
picture). Maybe group by client side and server side. That would give a real
'data based' look at software security quality.

Though I suspect that the jvm would be at the top of the 'security quality'
heap in both groupings. (ie-least number of holes). I think it would be
interesting to see nonetheless.

