Do these "insanely locked down" Windows have a browser and does that browser enable Java applets?
The 0-days affecting Java lately have all been using Java applets and drive-by exploits. I'm not saying it's not pathetic and lame for Java's security track records but it's not either as if your company was vulnerable to remote exploits in the case Java applets are not allowed in browsers.
I'm running Java webapp servers and I've been really pissed off that I needed to patch to remote Denial of Service exploits (the hashmap / URL query parameters degenerating to O(n) instead of O(1) SNAFU and the "endless loop" while parsing a certain floating-point number) in late 2011 / early 2012 IIRC but basically that's it.
The JVM is still incredibly secure on the server side (and can be installed on Unx systems in a user account, without needing to be root -- meaning that you can then lock down like mad that user account and have an even more secure setup).
Now to be honest if your company was truly paranoid they wouldn't be using old version of Windows with in-house brittle hacks supposedly bringing "more security".
I know that all too well (at Dexxia for example): some people somewhere decide on a shitty technology (Dexxia was at one point using shitty Java applets to allow clients to do online banking) and then says "We're going to have the most secure system ever".
So these guys think* they're paranoid but they're using: a) Windows and b) Java applets.
And at this point you have to wonder if you should laugh or cry at their definition of "paranoid".
People really paranoid about security ain't letting Windows in (unless they like NSA backdoors and consider patch-tuesday to be a reliable way to execute) and ain't letting Java applets in.
However I really don't want to go too far into a former clients site details, just to say it was a laughably big gaping hole, that is really quite common in a lot of large enterprises. It was also completely seperate from my domain there)
The 0-days affecting Java lately have all been using Java applets and drive-by exploits. I'm not saying it's not pathetic and lame for Java's security track records but it's not either as if your company was vulnerable to remote exploits in the case Java applets are not allowed in browsers.
I'm running Java webapp servers and I've been really pissed off that I needed to patch to remote Denial of Service exploits (the hashmap / URL query parameters degenerating to O(n) instead of O(1) SNAFU and the "endless loop" while parsing a certain floating-point number) in late 2011 / early 2012 IIRC but basically that's it.
The JVM is still incredibly secure on the server side (and can be installed on Unx systems in a user account, without needing to be root -- meaning that you can then lock down like mad that user account and have an even more secure setup).
Now to be honest if your company was truly paranoid they wouldn't be using old version of Windows with in-house brittle hacks supposedly bringing "more security".
I know that all too well (at Dexxia for example): some people somewhere decide on a shitty technology (Dexxia was at one point using shitty Java applets to allow clients to do online banking) and then says "We're going to have the most secure system ever".
So these guys think* they're paranoid but they're using: a) Windows and b) Java applets.
And at this point you have to wonder if you should laugh or cry at their definition of "paranoid".
People really paranoid about security ain't letting Windows in (unless they like NSA backdoors and consider patch-tuesday to be a reliable way to execute) and ain't letting Java applets in.