Do I understand this correctly, that this is a browser exploit and not a server side exploit? I thought that most people did not use Java browser applets anymore.
That's the way I read it, although more detail from Trend Micro would've been nice. This vulnerability seems to relate to the browser plugin:
"The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL that hosted it. Our Browser Exploit Prevention detects user systems against exploits targeting browsers or related plugins."
I share your frustration at articles such as this that report a "Java 0 day" vulnerability without clarifying they are speaking of Java on client computers which is presumably launched via the Java browser plugin.
Here in this community (HN) full of application builders, we generally think of Java and the JVM as a server-side application platform. And we're surprised to hear that enterprises and institutions have Java desktop or browser applications deployed to real users. But it's true, and they generally cannot just disable the Java plugin as advised until they can abandon these old applications.
I had to do work with a client once that used a VPN, I can't remember the vendor but it was recognizable at the time, that required the Java plugin to authenticate. Totally ridiculous but thankfully something I could quarantine to a VM. The irony of using something so reliably insecure as a prerequisite for a security system such as a VPN was delicious.
Another month, another exploit. Flash and Java are no more insecure than usual for them. The best advice is to disable these plugins as a matter of course, whenever possible.
I'm in favor of everything moving to click-to-enable (which flashblock does for me, and is nice). Of course, companies like Adobe and Oracle probably don't want that as it means less people buy their products or support as they move to natively supported features.
