Drop Java despite security patches, warn experts
Posted on 14 Jan 2013 at 08:38
Oracle has released an emergency update to its Java software, but security experts said it fails to protect PCs from attack.
The software maker released the update just days after the US Department of Homeland Security urged PC users to disable Java because of bugs in the software that were being exploited to commit identity theft and other crimes.
Oracle's failure to quickly secure the software means that PCs running Java in their browsers remain vulnerable to attack by criminals seeking to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes.
We don't dare to tell users that it's safe to enable Java again
Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.
"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.
Some security consultants are advising businesses to remove Java from the browsers of all employees, except for those who absolutely need to use the technology for critical business purposes.
HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified. "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.
An Oracle spokesperson declined to comment.
Oracle said on its security blog on Sunday that its update fixed two vulnerabilities in Java 7.
It said that it also switched Java's security settings to "high" by default, making it more difficult for suspicious programs to run on a PC without the knowledge of the user.
The Department of Homeland Security and computer security experts said last week that hackers figured out how to exploit the bug in a version of Java used with internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making infected computers part of an ad-hoc networks that used to attack websites.
Java is so widely used that the software has become a prime target for hackers. Last year, Java surpassed Adobe's Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.
Java was responsible for half of all cyberattacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28% of all incidents. Microsoft Windows and Internet Explorer were involved in about 3% of incidents, according to the survey.
Meanwhile, Microsoft said on Sunday that it would release an update today to fix a previously disclosed flaw in Internet Explorer 6, 7 and 8 that made PCs vulnerable to attacks in which hackers can gain remote control of the machines. Microsoft previously released a temporary fix to prevent such attacks.
"Folks don't really need Java on their desktop," Moore said.
Except perhaps folks who want to use really obscure services like WebEx.
There is a far more rational point of view here:
By TBennett on 14 Jan 2013
I use various websites which won't work unless Java is installed. Moore should be telling web designers to create websites that don't use Java, instead of telling people just to abandon it.
By KlingonBatleth on 14 Jan 2013
a lot of the B2B portals I have to use, use Java. That means I have to have Java on my machine.
On the other hand, I can install more than one browser on the machine.
I have Java disabled by default in my main browser, for the B2B sites, I use a second browser with Java enabled.
By big_D on 14 Jan 2013
Almost forgot, players of Minecraft will also not want to uninstall Java!
By big_D on 14 Jan 2013
As a hobbyist Java developer I'm really struggling to understand why Java's release cycle is done on a ridged quarterly update cycle. And trawling through the OpenJDK source repository suggests that some patches are taking from August 2012 to April 2013 to land in the release build for OS X, at least. It's a very corporate way of proceeding, and I wonder if it's the right policy for widely distributed software like Java. It's good though that at least the process is open to public scrutiny.
By c6ten on 14 Jan 2013
- Huawei Ascend P6 review: first look
- Adobe Illustrator CC review: first look
- Let MPs tell us what they really want ISPs to block
- Adobe Photoshop CC review: first look
- WWDC 2013 and iOS 7 launch: live blog
- Sony VAIO Pro review: first look
- Want child porn blocked? Meet the IWF
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Facebook "click on the photo" scams: how they work
- Three alternatives to Word's spelling and grammar checker
- Google two-step verification: a must for business email
- Microsoft Office and the death of upgrades
- The ICO's shame-faced u-turn on cookies
- Start8 and ModernMix: making Windows 8 work on a desktop
- How to boost your mobile reception
- How to fix Facebook: Social Fixer
- Taking the stress out of WordPress updates
- Where to download free web fonts