Report Offensive Message

While it's true that the current (January) exploit patched by JRE7u11 was only accessible through web-based code, I think it's naive to think that the same level of careless programming that went into the web-based portions of the Java Runtime doesn't also plague the non-browser portions of the code. Possibly the only reason they don't is that much of that code was written prior to JRE7, and thus not subject to what appears to be some very dysfunctional coding practices inside Oracle.

Nonetheless, as Scott points out in his article, we all recognize that disabling (or uninstalling) Java completely is not a viable option, and thus the focus continues to be on disabling the Java functionality in the browsers -- which is the primary vector of attack.

Then again, related to general patch management and appDeploy practices.. if you don't *need* Java... in any form... it's still Best Practice to uninstall the unneeded product.