Java security fix coming 'shortly'; Up to 850m machines at risk

Summary:Java plug-in maker Oracle has said that a fix to a major security vulnerability will be available "shortly," after U.S. Homeland Security warned to disable the software.

A day after the U.S. Department of Homeland Security warned computer users to disable or uninstall Java after a serious security vulnerability was discovered by researchers, Oracle has said that a fix will be made available "shortly."

Oracle, which develops the Java plug-in software after the technology giant acquired Sun Microsystems in 2009, did not give a timeframe in which a fix would be released, though it is expected this coming week.

Read this

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

More than 850 million PCs around the world use Java, according to Oracle, and could be at risk if they do not disable or uninstall the plug-in immediately.

While the flaw was found in Java 7, Oracle told sister site CNET in a statement that the flaw does not exist in older versions of the software.

"Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to [Java Development Kit 7]. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices," a spokesperson told CNET.

In a rare move, the U.S. government  warned computer users on Friday to disable the software  to prevent hackers and malware writers from taking advantage of the zero-day vulnerability -- which is currently being exploited in the wild.

There are fears that the vulnerability in Java 7 could allow unauthorized installation of malicious software on machines, which could then be used to acquire personal information, which could lead to identity theft. There is a strong risk that infected computers could become part of a wider "botnet"; a network of 'zombie' machines that are used to carry out denial-of-service attacks on Web sites and networks.

Apple has updated its XProtect definitions list -- the anti-malware service built into OS X -- in a bid to help mitigate any damage caused by the Java flaw. The Cupertino, Calif.-based technology giant has now disabled the OS X plug-in that runs on some Macs. While Apple no longer develops Java for OS X and no longer includes it with new Mac machines, OS X users can still download it from Oracle. 

Firefox maker Mozilla has also explained that Firefox users may be vulnerable if they are running Java 7. That said, Mozilla security assurance director Michael Coates touted the "Click to Play" security feature  in the popular browser, in which users must click to activate the plug-in -- such as Java -- which prevents the plug-in from loading until the user intervenes.

Topics: Security, Oracle

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.