KQED is a proud member of
Save ArticleSave Article
upper waypoint
News Fix

Oracle Releases Java Fix, But Department of Homeland Security Still Recommends Disabling

Laird Harrison
Save ArticleSave Article
Failed to save article

Please try again

Oracle has released a patch to address security problems with Java. But the Department of Homeland Security Cybercommunication and Security Office (CERT) is still recommending that users disable the widely used program altogether. And some other security experts are warning that Java is so flawed it could take years to make it secure.

Because Java is on so many machines -- about a billion, according to Oracle -- it has become the most common target for malicious hackers looking for defects. Hackers are passing around information about how to use the vulnerability to take over their victims' computers, gaining access to their email, online banking passwords, and anything else stored there.

Here's what CERT has to say about the Java fix:

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe vulnerability (CVE-2012-3174). Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

From the San Jose Mercury News:

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web. "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.

But some experts seem to have confidence in the patch. From Information Week:

Veteran Java bug hunter Adam Gowdiak, who heads Security Explorations, confirmed via email Monday that Oracle's fix is sound. "The version released [Sunday] blocks the recent Java 0-day exploit code," he said.

Java helps various programs communicate with each other. The casual user might only notice that features on some websites don't work in their internet browser.  But some businesses have built systems that depend on Java. So here are the options:

Sponsored

lower waypoint
next waypoint
Stunning Archival Photos of the 1906 Earthquake and FireWhy Nearly 50 California Hospitals Were Forced to End Maternity Ward ServicesSan Francisco Sues Oakland Over Plan to Change Airport NameDemocrats Again Vote Down California Ban on Unhoused EncampmentsFederal Bureau of Prisons Challenges Judge’s Order Delaying Inmate Transfers from FCI DublinFirst Trump Criminal Trial Underway in New YorkCould Protesters Who Shut Down Golden Gate Bridge Be Charged With False Imprisonment?Jail Deaths Prompt Calls To Separate Coroner And Sheriff's Departments In Riverside CountyDespite Progress, Black Californians Still Face Major Challenges In Closing Equality GapThe Beauty in Finding ‘Other People’s Words’ in Your Own