Soleron said:
Java is fine, it's the browser plugin that's had all of the vulnerabilities. |
I get what you're saying but I think it's phrased wrong. All the vulnerabilities are in Java, but they are generally of the privilege escalation variety: the Java plug-in is supposed to run its code in a sandbox that denies attempts to mess with the computer, but gaps in security allow carefully crafted attacks to sneak through. On the other hand, a company's internal applications are not foreign code and I would expect them to already be running with privileges — that code can be trusted at least as far as the programmers who wrote it, so the vulnerability is irrelevant. Of course it's still a problem if the company has to enable Java in their browsers (perhaps by accident) in order to use it, but it certainly doesn't have to be that way.
Note that some of the companies that got attacked in this recent round of Java security theatre did have the Java plug-in disabled. It was Java Web Start (.jnlp files) that provided a second attack vector.
