Oracle Releases Java Fix, But Department of Homeland Security Still Recommends Disabling
Your options for coping with the Java bugs
Oracle has released a patch to address security problems with Java. But the Department of Homeland Security Cybercommunication and Security Office (CERT) is still recommending that users disable the widely used program altogether. And some other security experts are warning that Java is so flawed it could take years to make it secure.
Because Java is on so many machines — about a billion, according to Oracle — it has become the most common target for malicious hackers looking for defects. Hackers are passing around information about how to use the vulnerability to take over their victims’ computers, gaining access to their email, online banking passwords, and anything else stored there.
Here’s what CERT has to say about the Java fix:
Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe vulnerability (CVE-2012-3174). Java 7u11 sets the default Java security settings to “High” so that users will be prompted before running unsigned or self-signed Java applets.
Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
From the San Jose Mercury News:
HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web. “The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” Moore said.
But some experts seem to have confidence in the patch. From Information Week:
Veteran Java bug hunter Adam Gowdiak, who heads Security Explorations, confirmed via email Monday that Oracle’s fix is sound. “The version released [Sunday] blocks the recent Java 0-day exploit code,” he said.
Java helps various programs communicate with each other. The casual user might only notice that features on some websites don’t work in their internet browser. But some businesses have built systems that depend on Java. So here are the options:
- Download the latest Java updatefrom Oracle’s Website.
- Disable Java with these step-by-step instructions, also from Oracle.
- Use Java with precautions described by Computerworld.