I've had lots of folks asking me "Should I be worried about the Homeland Security warning concerning Java?" It's all over Twitter, Facebook and the news. If you haven't heard about it, you can find more information here: http://zd.net/11mWMZy
I hate to use the words Overblown or Sensationalism. It is a very real and serious threat to millions of computers, and it is currently unpatched—thus all of the hype. However, 90% of the consumer computers that come through our doors are not up to date with the current OS critical or recommend patches from Microsoft. 100% are not up to date with 3rd party patches such as Java, Adobe Reader, Adobe Flash Player... etc. We still see Vista with no service packs and most people never realize that Java will leave old versions installed even when patching and that those should be removed.
The same can be said for business and enterprise workstations. The difference is that many developers will write code for specific versions of these third party applications and patching may break functionality. In the enterprise, patches and upgrades are thoroughly tested for several days before rolling out to the production environment. If there are issues, then the patches are not deployed. In those cases, productivity is preferred over security—which is most of the time. There are workarounds that tighten security and only allow access (for applications like Java) to only the necessary locations required for day to day operation. But that is not a real fix.
If you are worried about your computers safety because of the Homeland Security warning, the instructions for disabling Java in the browser are found on the Sun Java Website. Or, if you have no real need for Java, uninstall it. But don't forget about your OS and other software on your computer. You may already be vulnerable to worse.
So the next time someone asks "Should I be worried about Java?" The real answers should be "You should have already been worried about Java... and much more."
Just as I was clicking the "Post" button on the Java article, I received an email from Microsoft informing me of an out of band patch that closes another zero-day vulnerability that criminals have been exploiting for over a month. <*sigh*> I had just finished patching servers. More information can be found here: http://bit.ly/VHNtO2