Based on extensive experience in large organisations, the likely culprits are:
- Assessment and Prioritisation (anyone with visibility of Oracle's security team size and load, here?) - Regression Testing - Motivation ($$$) To a lesser degree, their change control workflow could also be a barrier. Organisations generally expediate security patches, but in the wrong (right?) environment, the end-to-end approvals process could still take a week. Fancy a visit to your local Change Advisory Board, anyone? Frankly, 'Java' isn't really the problem - the problem is the prevalence of unpatched Java (and Flash and more generally, third party software) installations. The Australian DSD (our version of the NSA) indicated recently that 85% of the incidents they investigated could have been avoided through: - effective patch management (3rd party and OS) - applying the least-privilege principle - implementing application whitelisting See http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm for more details. -- Skip On 30 August 2012 15:14, Casper Bang <[email protected]> wrote: > Forget about spending a decade debating closures - I'm talking about > patching security holes here! The last couple of years, Java has become > the predominant vector of attack, to the point that I recommend friends and > family *not* to run it at all. Life is rarely that simple however, as i.e. > the case with a Danish national SSO solution (taxes, banks etc.), for all > practical purposes requiring applet functionality to be enabled for every > citizen. > > The latest vulnerability already seems to have the Poison Ivery trojan > spreading all over. It seems however, we're far from zero-day vulnerability > attacks, as these were brought to Oracle's attention some 4 months ago: > http://www.security-explorations.com/en/SE-2012-01-press.html > > I have now stitched together Chrome plugin to only allow certain trusted > applets to run, but your average Joe don't have that option. There's still > no fix available and that's just not good enough! > > -- > You received this message because you are subscribed to the Google Groups > "Java Posse" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/javaposse/-/hJTW5OLDg6wJ. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/javaposse?hl=en. > -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
