Drop Java despite security patches, warn experts
Posted on 14 Jan 2013 at 08:38
Oracle has released an emergency update to its Java software, but security experts said it fails to protect PCs from attack.
The software maker released the update just days after the US Department of Homeland Security urged PC users to disable Java because of bugs in the software that were being exploited to commit identity theft and other crimes.
Oracle's failure to quickly secure the software means that PCs running Java in their browsers remain vulnerable to attack by criminals seeking to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes.
We don't dare to tell users that it's safe to enable Java again
Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.
"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.
Some security consultants are advising businesses to remove Java from the browsers of all employees, except for those who absolutely need to use the technology for critical business purposes.
HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified. "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.
An Oracle spokesperson declined to comment.
Oracle said on its security blog on Sunday that its update fixed two vulnerabilities in Java 7.
It said that it also switched Java's security settings to "high" by default, making it more difficult for suspicious programs to run on a PC without the knowledge of the user.
The Department of Homeland Security and computer security experts said last week that hackers figured out how to exploit the bug in a version of Java used with internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making infected computers part of an ad-hoc networks that used to attack websites.
Java is so widely used that the software has become a prime target for hackers. Last year, Java surpassed Adobe's Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.
Java was responsible for half of all cyberattacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28% of all incidents. Microsoft Windows and Internet Explorer were involved in about 3% of incidents, according to the survey.
Meanwhile, Microsoft said on Sunday that it would release an update today to fix a previously disclosed flaw in Internet Explorer 6, 7 and 8 that made PCs vulnerable to attacks in which hackers can gain remote control of the machines. Microsoft previously released a temporary fix to prevent such attacks.
"Folks don't really need Java on their desktop," Moore said.
Except perhaps folks who want to use really obscure services like WebEx.
There is a far more rational point of view here:
By TBennett on 14 Jan 2013
I use various websites which won't work unless Java is installed. Moore should be telling web designers to create websites that don't use Java, instead of telling people just to abandon it.
By KlingonBatleth on 14 Jan 2013
a lot of the B2B portals I have to use, use Java. That means I have to have Java on my machine.
On the other hand, I can install more than one browser on the machine.
I have Java disabled by default in my main browser, for the B2B sites, I use a second browser with Java enabled.
By big_D on 14 Jan 2013
Almost forgot, players of Minecraft will also not want to uninstall Java!
By big_D on 14 Jan 2013
As a hobbyist Java developer I'm really struggling to understand why Java's release cycle is done on a ridged quarterly update cycle. And trawling through the OpenJDK source repository suggests that some patches are taking from August 2012 to April 2013 to land in the release build for OS X, at least. It's a very corporate way of proceeding, and I wonder if it's the right policy for widely distributed software like Java. It's good though that at least the process is open to public scrutiny.
By c6ten on 14 Jan 2013
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office