We've seen the odd Java & IE 0day, but you're going to have to backup the 70% figure if you want me to take you seriously.

The silent background Flash updater checks for security updates every 24 hours, and installs the updates silently. A reboot isn't required. http://blogs.adobe.com/spohl/2012/03/30/hello-adobe-...

If there's an exploit in the wild and a vendor releases a patch, it's going to have a huge impact on the malware's ability to spread. This is why we're seeing an increase in the popularity of apps like Secunia CSI & PSI. The AV industry regularly pushes patching advice on their blogs. Mozilla and Google block out of date plugins for the same reason.

Some people disabled UAC, the ignorant ones! In reality, all they had to do was tweak the notification bar a little. Firefox is always targeted, which is why Mozilla continues to push security updates and work on useful features such as automatic blocking of out of date plugins and background updates. FF has a much better security track record than IE, and is more secure because of this.

Sure, some companies might want to vet the odd update. We've seen a lot of the industry move to patching solutions such as Secunia PSI because they've had a lot of success. AV doesn't always protect against old obfuscated Java exploits, patching usually does. A lot of the time, if a company waits too long, they'll get 0wned. I'd rather experience a little stress after ironing out a couple of user complaints, than the stress of clearing up a huge malware infection because I wanted too long to patch my network.

I deleted my post because I am not going down the same path as the other thread.

In reply to a post by Zadeks:

Again, this isn't helped by Java's lack of auto update.

But Java does have auto update, doesn't it?

http://www.java.com/en/download/help/java_update.xml

No. Jusched is an update notification utility.

Years ago it used to keep old versions, but not for a long time has it done so.

Only today I removed about 10 previous versions of Java from a PC after installing the latest update. They were all hanging out in Add/Remove programs.

Were they all Java 6?

I seem to remember that I did that manually on each new update of Java 6, but didn't need to once Java 7 came.

In the Java control panel there is an option to have updates downloaded automatically and then be notified about it before installing the Java update, no unknown auto install of an update.

I have had that enabled for ages and on my system it doesnt work 90% of the time, eg. it has yet to notify me of update 13, but it does notify me if I try to run a web java app.

This is the issue. It's far too manual.

Same here but I do remember some time in the past it did used to flag up there was a new update available but goodness knows which version allowed that to work.