R2D2′s comments: Not good news. I do wonder how they came exactly to the two years duration to fix Java. And this is a bit off: “The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop.” . Really? What WEB world has he been living in?
Now seriously, this is not the first time Java exploits are out there. However, problem is that it made it on the Metasploit library of modules.
https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
If you haven’t read enough about this exploit – more details here
http://net-security.org/secworld.php?id=14222
and here
http://www.zdnet.com/java-zero-day-vulnerability-actively-used-in-targeted-attacks-7000003233/
Security experts on Java: Fixing zero-day exploit could take ‘two years’ | ZDNetSummary: Amid growing concern over Java’s security, Oracle released an emergency fix over the weekend. However, security professionals say that this measure doesn’t go far enough. Oracle, the creator of Java software, has not had the best weekend.
