On Mon, Nov 29, 2010 at 11:10 PM, Platonides Platonides@gmail.com wrote:
Note that you can't simply check (or reverse-engineer) that JVM X doesn't treat it as a jar, since it could be detected in X-1 or X+1. So there should be a range of still in use JVMs to assert.
I run my own IT support company, and I've seen both private and company clients running three-year-old Java and Flash versions, of course the machines had a load of malware on them (which was the reason I got called). The problem is, you've got a lot of users out there who are confused by the update messages or by the Windows UAC launching with every update as they get a LOT of lookalike messages from sites like kino.to and now are confused what is real and what not. Securing against the "most in use JVM/PDF/Flash/whatever" version is pointless, as you have to cover around three years of version histories, if not more. For OpenOffice clients, it's even worse, as some companies introduce their own private patch sets. Haven't seen this until now, but I've never been at really big companies where this actually is likely to happen.
Marco