The U.S. Department of Homeland Security has reiterated its warning to Java users that the widely used Web plug-in still poses risks for Internet users, even after Oracle patched the software to prevent hackers from exploiting a zero-day vulnerability.
It comes as some security experts are warning that the new software -- Java 7 (Update 11), not actually protect against hackers attempting to remotely execute code on user machines.-- may
This code, security experts warn, could be used to acquire personal information and steal identities, or subscribe machines to 'botnets,' which can then be used to hit networks and Web sites with denial-of-service attacks.
Homeland Security said in an updated note that it is reiterating its advice it gave last week, in spite of Oracle updating the Java software to include a security fix that would prevent machines from being attacked by hackers.
The said: "Unless it is absolutely necessary to run Java in Web browsers, disable it [...] even after updating to [Update 11]."
Homeland Securitythat Internet users should disable the Web plug-in as soon as possible, to prevent being attacked by hackers or malware. While it's not uncommon for a government department to notify users of threats, advising users to actively disable or uninstall software is rare.
Java is used the zero-day vulnerability was being exploited in the wild by hackers and malware writers., along with billions of devices around the world, including cars, Blu-ray players, and mobile devices. The reason why the U.S. government stepped in, along with security experts and anti-malware companies, to warn users is because
Experts and researchers have warned that for Oracle to fix the flaws found in Java -- not including any further exploits or vulnerabilities that are found in the meantime.Rapid7 chief security officer HD Moore told the Reuters news agency that it could take this long
"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," he said.
Update at 3:45 p.m. ET: Oracle told ZDNet in a statement: "Oracle has released Security Alert CVE-2013-0422 to address the flaw in Java software integrated with Web browsers. This is a blog that discusses when the bug was reported and actions that Java users need to take to secure their systems."