"It is really hard to see the difference between what Ajax is supposed to do and what is an attack from hijacking JavaScript,"

Really? Because what typifies a well-formed AJAX request is that it is an individual request with parameters that match the schema offered by the server. For an attack to actually work as an attack, it would have to be either a significant number of requests, or have specifically malformed parameters, or both. I wouldn't hire a programmer who couldn't craft a server app to check for well-formedness, and I wouldn't pay a security pro who couldn't identify a significant increase in traffic as a problem.

"Potentially it provides a bridge between external internet applications and internal intranet applications behind the firewall."

Only when implemented by a moron who doesn't understand what AJAX is or what it's for. AJAX is simply the use of Javascript code to request information through web protocols. As such, it runs on the client (read: any machine connected to the internet). So to use AJAX as a bridge to your intranet, you'd have to open said intranet up to everyone and everything.

Also, Javascript code must at some point be readable to the client, which means that hackers can and will get at the source code. So putting anything you want to keep private in Javascript is a mistake.

EVERY system is insecure when implemented unwisely.

Javascript, like Java, has been a browser security hole since the mid-90s. There has, to my knowledge, never been a formal validation of the security of either.

People with any sense (or paranoia) turn off both as well as most of the standard add-ons.

Yeah, let me know how that works for you. :-)

If you're a working stiff like myself, your employer probably requires you to leave your browser in "complete web-slut" mode to do your job. If you are _lucky_, you only need to turn it on to check that your payroll deposit was made, apply for vacation, change or even check your health-care benefits, fill in your status reports, etc. If not so lucky, pretty much every document you need is behind a "content management system" that makes Arthur Dent's little adventure finding his demolition notice look like a walk in the park. OK, Central Park, at night, but still...

As I truly share the thoughts of the previous commenter’s, I think this could truly pose a threat as being one of those things too obvious to detect

This news item is about Javascript, it isn't about Java. It should be under "Scripting" instead of "Java/J2ee"