>Visitors were prompted to execute a signed Java applet that in turn launched an attack that enabled the team to use privilege escalation exploits and thereby gain administrative rights.

This was purely a social engineering attack. Even if their JVMs were all fully up to date, they would have fallen victim to it. Assuming this test was done recently, they would have to get through this prompt: http://www.mendoweb.be/blog/wp-content/uploads/2013/04/self-...

If this test was done a while ago, they would still have to go through a similar prompt, though it didn't have the scary red letters back then.

This is pure user ignorance in this case, especially considering this was supposedly an organization that deals with computer security.

That being said, however, any good organization should be monitoring things like Java applets accessed by employees, and they should receive alerts upon events like "EXE or binary type file downloaded by a Java applet" (though this kind of signature can possibly be bypassed if the pentesters were smart).

I work for a medium-sized company, and we would've caught something like this fairly quickly, even if the user did get infected. We check a list of all Java applets loaded by users every 12 hours. And we have various rules in place to look for malicious applet behavior, in addition to our regular screening.

Disabling Java applets is the safest solution, but unfortunately many enterprise applications still run as Java applets or JNLPs.

It's not unfortunate that applets or JNLP are used, it's unfortunate that Oracle have a pretty spotty track-record with JVM security lately. But applets and JNLP are actually pretty cool and useful technology, in and of themselves. I just wish Oracle would get their act together...