KQED is a proud member of
Save ArticleSave Article
upper waypoint
News Fix

Oracle Releases Java Fix, But Department of Homeland Security Still Recommends Disabling

Laird Harrison
Save ArticleSave Article
Failed to save article

Please try again

Oracle has released a patch to address security problems with Java. But the Department of Homeland Security Cybercommunication and Security Office (CERT) is still recommending that users disable the widely used program altogether. And some other security experts are warning that Java is so flawed it could take years to make it secure.

Because Java is on so many machines -- about a billion, according to Oracle -- it has become the most common target for malicious hackers looking for defects. Hackers are passing around information about how to use the vulnerability to take over their victims' computers, gaining access to their email, online banking passwords, and anything else stored there.

Here's what CERT has to say about the Java fix:

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe vulnerability (CVE-2012-3174). Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

From the San Jose Mercury News:

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web. "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.

But some experts seem to have confidence in the patch. From Information Week:

Veteran Java bug hunter Adam Gowdiak, who heads Security Explorations, confirmed via email Monday that Oracle's fix is sound. "The version released [Sunday] blocks the recent Java 0-day exploit code," he said.

Java helps various programs communicate with each other. The casual user might only notice that features on some websites don't work in their internet browser.  But some businesses have built systems that depend on Java. So here are the options:

Sponsored

lower waypoint
next waypoint
California Legislature Halts 'Science of Reading' Mandate, Prompting Calls for Thorough ReviewProtesters Shut Down I-880 Freeway in Oakland as Part of 'Economic Blockade' for GazaForced Sterilization Survivors Undertake Own Healing After Feeling 'Silenced Again' by StateHalf Moon Bay Prepares to Break Ground on Farmworker HousingRecall of Alameda County District Attorney Pamela Price Qualifies for a VoteHow Aaron Peskin Shakes Up S.F.’s Mayoral RaceSilicon Valley Readies for Low-Simitian House Race Recount — but How Does It Work?Feds Abruptly Close East Bay Women’s Prison Following Sexual Abuse ScandalsTesla to Lay Off 10% of Workforce Amid Sluggish Salesare u addicted to ur phone