I already commented on another one of these link bait articles here http://news.ycombinator.com/item?id=1253870, but I'm reposting my comment here. Just because I felt let down after having clicked through to get the details on some 'juicy' new Java flaw. Only to find the reality to be less serious than advertised. I don't like feeling duped.
BTW - The last article was called 'Javocalypse'. Now with a name like that, when I test the exploit, it better deliver the goods.
I don't know.
That's just how I feel.
Anyway, here is the comment I left on that one:
----
I love all these 'embarrassingly trivially exploitable issues' that require me to set up my machine in just the right way to make them work. And for all that effort, you can't even own the machine using the exploit.
What has it been? 15 years? and this is the best they can come up with for java security holes?
You know, I don't like java, but the more stuff like this I read, the more I have to admit that it is smart for enterprises to use it so heavily.
An interesting comparison might be to look at the number of java security holes vs activex vs windowsxp vs apache vs iis vs php vs ruby vs (you get the picture). Maybe group by client side and server side. That would give a real 'data based' look at software security quality.
Though I suspect that the jvm would be at the top of the 'security quality' heap in both groupings. (ie-least number of holes). I think it would be interesting to see nonetheless.
BTW - The last article was called 'Javocalypse'. Now with a name like that, when I test the exploit, it better deliver the goods.
I don't know.
That's just how I feel.
Anyway, here is the comment I left on that one:
----
I love all these 'embarrassingly trivially exploitable issues' that require me to set up my machine in just the right way to make them work. And for all that effort, you can't even own the machine using the exploit.
What has it been? 15 years? and this is the best they can come up with for java security holes?
You know, I don't like java, but the more stuff like this I read, the more I have to admit that it is smart for enterprises to use it so heavily.
An interesting comparison might be to look at the number of java security holes vs activex vs windowsxp vs apache vs iis vs php vs ruby vs (you get the picture). Maybe group by client side and server side. That would give a real 'data based' look at software security quality.
Though I suspect that the jvm would be at the top of the 'security quality' heap in both groupings. (ie-least number of holes). I think it would be interesting to see nonetheless.