Vunerable with UAC/DEP/ASLR/EMET/AV/FW

SPP, IE Chrome and Firefox all disable out of date Java (though I only know Chrome does this) but that's irrelevant because:
1) Java updates are far apart with exploits splattered between
2) 0-days for Java are common and the program is incredibly exploitable given the nature of JIT and the nature of Oracle being a ****-tier company.

And, of course, the simple fact that while this example uses Java there are Silverlight, Flash, and browsers exploits aplenty.

 

I didn't know Chrome disabled out of date Java like IE and Firefox. In fact I didn't know Chrome supported Java. Last time I used the horrible JRE was more than a year ago.

I know, I know, there are several runtimes and apps that can be exploited, there are 0-days, etc. But that would be a expanded discussion, besides the point of the linked article by the OP.

 

But maybe the generic and alarmist thread's title is inviting such discussion anyway. lol

 

Sure, but often those restrictions don't restrict web-based malware.
Like recently in NL when a Sinowal sample wreaked havoc around 12:00 lunchtime when the CMS of the most popular dutch news site was hacked.
'it redirected systems specifically with Windows Vista/7/8 to a separate location in the Nuclear Pack exploit kit. ...combined with how effective the exploit for java typically is, with around one in eight visitors being infected, a little over 12%, led us to believe this was a huge incident..'. link

A steady 15% IE6/7 market share link shows a larger attack surface than '92% up-to-date' would suggest while the main attack vector remains outdated java etc.
I agree on the title criticism. It's a bit like claiming a moat-fence-guards-dogs-locks burglary by befriending the victim and getting invited.

 

"92% up-to-date" is a different claim from "92% of Windows' userbase with Microsoft/Windows Update set to automatic install". Until recently, IE 8 and 9 weren't being automatically installed (they were being automatically offered - many refused them). But IE 6 and 7 are going to be supported until Windows XP and Windows Vista reach end-of-life respectively - which means the update I was talking about works for IE 6 and 7 as well (the Microsoft Killbit update, which blocks vulnerable plugins in IE - including vulnerable versions of JRE - and is really being automatically installed for those with Microsoft/Windows Update set to "automatic install").

 

reinforces my mindset of never allowing java on my systems.