Out of curiosity, how would you put malicious code on a legit site? Do they need to hack into the web server to do it or is there other ways around it?

- Compromise the advert server, altering the javascript served by the advert
- Exploit a vulnerability in a script running on a webserver (Wordpress, Joomla, etc).
- Exploit a vulnerability in out-of-date software running on a server (Apache, PHP, etc)

Lots of points of entry.

In the latest Sophos newsletter there is an item :- Protect against latest Java zero-day vulnerability right now: Mal/JavaJar-B
http://nakedsecurity.sophos.com/2013/01/10/protect-y... which is in broad agreement with many other warnings.

I have un-installed Java and so far the only downside is not being able to use the usual tbb speedtest. The flash-based test seems just as good but I can't see how to log my results.
I miss the ability to view results as a graph which I find useful to get an over-view of results.

To add to our potential gloom, Sophos has posted this :-

"Vulnerability reported in Foxit PDF plugin for Firefox - how to mitigate it"
http://nakedsecurity.sophos.com/2013/01/11/vulnerabi...

We live in interesting times!

Thing is every piece of software will have vulnerability, but usually they're patched pretty quickly. Java release the next lot of regular fixes on the 15, so probably will have this issue fixed too...until the next time

There is a new Java release available http://www.neowin.net/news/java-runtime-environment-...

Unlike Chrome, Adobe Flash & Reader, Java doesn't have a built-in automatic background update facility. This is why it is one of the most exploited pieces of software.

Just had Java 7 u11 installed. Is that OK?

Er, no, apparently not.

http://www.forbes.com/sites/andygreenberg/2013/01/13...

http://uk.reuters.com/article/2013/01/13/java-oracle...

Ahh, the old "I don't use it, so no one should" solution.

I'm using it though, but it's not safe.