Is this thing still a big threat as it was with java applets automatically disabled and the only method by which silent applets still execute being just Flash Player?
From the end of the article, "To limit the risk of having drive-by malware attacks planted on their websites, organizations should monitor the payload of their different Internet properties, which for larger organizations can easily become a huge undertaking." In other words, it won't be done. The last para of the article was such comprehensive gobbledygook that even a seasoned TLA operative would be nonplussed. Again, it reads like, we're on our own.
This has been a risk for the last 10 years, but it has only gotten worse. However, it's good for business, it will make selling tools like MBAE and HMPA (both anti-exploit) a lot easier.
If you remove Java from the browser, and keep your operating system, browser, and browser plugins up to date. I believe you're statistically in pretty good shape. Related threads: H1 2014 Endpoint Exploitation Trends In a Zero-Day World, It’s Active Attacks that Matter (2012)
Blocking javascript by default is the best approach to dealing with this. Java is not widely used these days but javascript is. That combined with Having UAC active and using a limited user account will prevent drive by installations. Even if a malicious script gets into a whitelisted site, it will still need administrator permission to install anything.
Also, if someone is browsing from an admin account, I recommend setting UAC to max level to avoid UAC bypasses such as this.
It does help, but you can still be tricked into letting all scripts run on a site. For example if you want to download a video or see a picture. And if I'm correct, a lot of malware is able to install even with non-admin rights, so UAC will not help. What WILL help is using apps that are less exploited, like Opera Presto, instead of Internet Explorer or Firefox. On the other hand, nowadays even plug-ins running inside the browser like Flash get exploited too, so I'm not sure if it matters which browser you are running then, will do some reading.
I strengthen file permissions manually so it is almost impossible to install anything without administrator rights. It would still be possible to run something from an unsecured file system on an external thumb drive but it wouldn't be able to install itself on my main drive.
Will need to do some more reading, it's not clear to me yet, but I did read that some Flash exploits will only work when combined with a certain browser like IE, so that is quite good news.
That's certainly an important step. From the article: Also, as others have alluded to, using a script and/or ad blocker will further reduce the chances of attack, as well as using alternatives to IE. For user space applications, i have those areas restricted by granular (at least somewhat) Applocker path rules, including dll's, and monitored by Jetico Process Attack filter option. To boldly state, I consider my Win 7x64 setup as close to bullet proof as possible without giving up usability. My Linux setups are no doubt even stronger.
A little more on strengthening file permission on a limited user account. Windows, by default gives full control to a limited account's user data folder in the users folder on the c: drive. So a limited user can execute software copied into that folder which includes the desktop and all document folders for that user's account. That allows malware to run from any of these locations in a limited account. I change the limited user's default full control permission to list folder contents, read and write in the main permissions page and add delete and and delete subfolders and files in the advanced tab. It is also necessary to check "replace permissions on all child objects" in the advanced tab to reset the permissions on every file and folder contained in the user's data folder. That seals one security gap that allows drive by malware to run from a limited account from a drive by installation. I also do the same on my data partition but I do an even stricter scheme where all individual users are eliminated and there are just 3 groups: Administrators, System and Users. Administrators and System have full control and users can only list folder contents, read, write, delete and delete subfolders and files.