Drop Java despite security patches, warn experts

14 Jan 2013
Security threat

Oracle's attempts to patch up Java don't go far enough, say security experts

Oracle has released an emergency update to its Java software, but security experts said it fails to protect PCs from attack.

The software maker released the update just days after the US Department of Homeland Security urged PC users to disable Java because of bugs in the software that were being exploited to commit identity theft and other crimes.

Oracle's failure to quickly secure the software means that PCs running Java in their browsers remain vulnerable to attack by criminals seeking to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes.

We don't dare to tell users that it's safe to enable Java again

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.

Some security consultants are advising businesses to remove Java from the browsers of all employees, except for those who absolutely need to use the technology for critical business purposes.

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified. "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.

An Oracle spokesperson declined to comment.

Oracle said on its security blog on Sunday that its update fixed two vulnerabilities in Java 7.

It said that it also switched Java's security settings to "high" by default, making it more difficult for suspicious programs to run on a PC without the knowledge of the user.

The Department of Homeland Security and computer security experts said last week that hackers figured out how to exploit the bug in a version of Java used with internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making infected computers part of an ad-hoc networks that used to attack websites.

Java is so widely used that the software has become a prime target for hackers. Last year, Java surpassed Adobe's Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

Java was responsible for half of all cyberattacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28% of all incidents. Microsoft Windows and Internet Explorer were involved in about 3% of incidents, according to the survey.

Meanwhile, Microsoft said on Sunday that it would release an update today to fix a previously disclosed flaw in Internet Explorer 6, 7 and 8 that made PCs vulnerable to attacks in which hackers can gain remote control of the machines. Microsoft previously released a temporary fix to prevent such attacks.

Read more

News