Skip to navigation
Latest News

Drop Java despite security patches, warn experts

Security threat

By Reuters

Posted on 14 Jan 2013 at 08:38

Oracle has released an emergency update to its Java software, but security experts said it fails to protect PCs from attack.

The software maker released the update just days after the US Department of Homeland Security urged PC users to disable Java because of bugs in the software that were being exploited to commit identity theft and other crimes.

Oracle's failure to quickly secure the software means that PCs running Java in their browsers remain vulnerable to attack by criminals seeking to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes.

We don't dare to tell users that it's safe to enable Java again

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.

Some security consultants are advising businesses to remove Java from the browsers of all employees, except for those who absolutely need to use the technology for critical business purposes.

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified. "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.

An Oracle spokesperson declined to comment.

Oracle said on its security blog on Sunday that its update fixed two vulnerabilities in Java 7.

It said that it also switched Java's security settings to "high" by default, making it more difficult for suspicious programs to run on a PC without the knowledge of the user.

The Department of Homeland Security and computer security experts said last week that hackers figured out how to exploit the bug in a version of Java used with internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making infected computers part of an ad-hoc networks that used to attack websites.

Java is so widely used that the software has become a prime target for hackers. Last year, Java surpassed Adobe's Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

Java was responsible for half of all cyberattacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28% of all incidents. Microsoft Windows and Internet Explorer were involved in about 3% of incidents, according to the survey.

Meanwhile, Microsoft said on Sunday that it would release an update today to fix a previously disclosed flaw in Internet Explorer 6, 7 and 8 that made PCs vulnerable to attacks in which hackers can gain remote control of the machines. Microsoft previously released a temporary fix to prevent such attacks.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

"Folks don't really need Java on their desktop," Moore said.

Except perhaps folks who want to use really obscure services like WebEx.

There is a far more rational point of view here:

By TBennett on 14 Jan 2013

I use various websites which won't work unless Java is installed. Moore should be telling web designers to create websites that don't use Java, instead of telling people just to abandon it.

By KlingonBatleth on 14 Jan 2013

B2B Portals

a lot of the B2B portals I have to use, use Java. That means I have to have Java on my machine.

On the other hand, I can install more than one browser on the machine.

I have Java disabled by default in my main browser, for the B2B sites, I use a second browser with Java enabled.

By big_D on 14 Jan 2013


Almost forgot, players of Minecraft will also not want to uninstall Java!

By big_D on 14 Jan 2013

As a hobbyist Java developer I'm really struggling to understand why Java's release cycle is done on a ridged quarterly update cycle. And trawling through the OpenJDK source repository suggests that some patches are taking from August 2012 to April 2013 to land in the release build for OS X, at least. It's a very corporate way of proceeding, and I wonder if it's the right policy for widely distributed software like Java. It's good though that at least the process is open to public scrutiny.

By c6ten on 14 Jan 2013

Leave a comment

You need to Login or Register to comment.



Most Commented News Stories
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.