On 02/05/13 17:29, David McFarlane wrote: > At 2/5/2013 04:02 PM Tuesday, Cooke, Tony wrote: >> Since the University recommends/requires out of date/unsupported >> software, which has known vulnerabilities, are we not being required >> to put ourselves at risk? If so, is it an acceptable risk? > > My question exactly. Just how dangerous is this JRE to our users? > Doesn't one have to be lured to a malicious website to trigger this > sort of attack? How likely are our users to do this? > > -- dkm > Sadly I think this is *very* dangerous. I have a couple of folks I lean on for Java stuff, and they aren't very impressed with the way things have evolved, lately. No, a user being tricked into running something is not the only way to effect an exploit. How about this: a Flash page that's an exploit which in turn executes a Java exploit. I'm trying to find more about this little gem. Lastly, as for luring users, there are some really well done attacks out there that have the graphics of the faked site done so well that the only way you know it's a fake is to look at URL's with a mouse-over. Most if not almost all of the vulnerabilities fixed in .13 are of the remote exploit type, and most of them are applicable to the 1.6 branch. *ugh* --STeve Andre'