(07-26-2015, 08:25 PM)kilishan Wrote: I don't know if you realize it, but that article is talking about client-side Java, which is apps run in the browser, due to security holes that hackers are exploiting. And while he mentioned completely blocking it's use, I think that's silly. Non-web based apps, like the IDE's being mentioned here, have much lower security risk from everything I've seen.
Actually, the article talks about both Java as a browser plugin and Java installed on the client OS as used by other software (not through the browser), and specifically advocates completely eliminating it from the client environment, with a reference to an OS X exploit that did not require Java to be enabled in the browser.
We've made it a standard procedure to only install Java on computers which absolutely need it, and, in those specific cases, the users have explicit instructions to only use Internet Explorer for the specific sites which require the specific version combination of Java and IE installed on their computers, and that all other web browsing should be done in Firefox and/or Chrome (all other users are told never to use IE). In cases where Java is used for other applications, it is managed by campus-wide patch management and completely disabled in the browsers. Unfortunately, this doesn't stop these people from being infected by malware which disguises itself as Java updates (though, honestly, not having Java on someone's computer doesn't stop that, either, if the malware doesn't require Java). We use a very similar policy for Adobe Flash, which alternates with Java as the primary vector for infections.
