Okay – I wasn’t going to blog on this but I just can’t take it anymore.
First off – read the Matasano blog here: http://www.matasano.com/log/841/this-just-in-blogs-a-crappy-way-to-handle-disclosure/
Sounds pretty bad . . . “Java – write once, exploit everywhere” no?
But you wanna know the cruel sweet irony of this? Even though the bug was found on OSX and exploited via Safari for ‘fun’ at CanSec . . . even though we haven’t shipped a JVM on Windows since XPSP1 – I bet once the ‘bad actors’ figure out how to exploit it – the only people that will suffer and be exploited will be Windows / IE users (maybe Windows / Firefox users). Why? Because OSX at the end of the day – has 4% market share and malware authors just don’t give a crap (yet).
At this point all we really know is that this seems to require a working JVM + QuickTime . . . so I imagine pro-active workarounds would involve disabling one or the other (or both – I am fortunate enough to be able to live without either on my machines).
There – I said it.