The SANS Internet Storm Center remarks on the challenges of fixing Java vulnerabilities, since Sun’s installer only checks once a month by default—based on when you installed it, not on a standard schedule.

Well, it’s worse than that. My Windows 2000 box at work was easy. I just went into Control Panel, opened the Java Plugin, and told it to update. At home, on our Windows XP box, I had to go through multiple reboots just to get the installer started.

It wasn’t XP that was the problem, though: It was Norton Internet Security. First it disabled all network access from Firefox when I installed the new version. Then it blocked access to the Java updater, so whenever I clicked on “Install” it would just disappear instead of launching the installer. I resolved it (for now) by disabling Norton while I did the install…but I had to reboot in order to get as far as the first step again.

Talk about convoluted. Someone has developed a Java applet that will use one browser to install spyware on another. The applet runs in any browser using the Sun Java Runtime Environment—Firefox, Opera, Mozilla, etc.—and if it can convince you to run the installer, it will install spyware on Internet Explorer. And since you can’t remove Internet Explorer from Windows (you can hide it, but it’s always there…waiting), just using an alternative browser isn’t enough to protect you.

Of course, the obvious solution here is don’t let it install anything. That’s what the Java sandbox is for, after all: applets run in their own little world and can’t touch the rest of your system unless you let them (or they find a hole in the sandbox, which is why you need to keep Java up to date—just like everything else).

Time to emphasize the fact that while Firefox is still safer than IE, it’s not a magic bullet. There is no magic bullet. You can minimize risk, but never eliminate it.

(via SANS Internet Storm Center)