Homeland Security warns Java still poses risks after security fix

Homeland Security warns Java still poses risks after security fix

Summary: UPDATED: After a security fix to patch Java 7 from a massive security vulnerability, the U.S. Department of Homeland Security has reiterated its warning that Java still poses risks.

SHARE:
TOPICS: Security, Oracle
85

The U.S. Department of Homeland Security has reiterated its warning to Java users that the widely used Web plug-in still poses risks for Internet users, even after Oracle patched the software to prevent hackers from exploiting a zero-day vulnerability.

Read this

How to disable Java in your browser on Windows, Mac

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

It comes as some security experts are warning that the new software -- Java 7 (Update 11), which was released on Sunday -- may not actually protect against hackers attempting to remotely execute code on user machines.

This code, security experts warn, could be used to acquire personal information and steal identities, or subscribe machines to 'botnets,' which can then be used to hit networks and Web sites with denial-of-service attacks.

Homeland Security said in an updated note that it is reiterating its advice it gave last week, in spite of Oracle updating the Java software to include a security fix that would prevent machines from being attacked by hackers.

The said: "Unless it is absolutely necessary to run Java in Web browsers, disable it [...] even after updating to [Update 11]."

Homeland Security warned on Friday that Internet users should disable the Web plug-in as soon as possible, to prevent being attacked by hackers or malware. While it's not uncommon for a government department to notify users of threats, advising users to actively disable or uninstall software is rare.

Java is used in more than 850 million PCs and Macs, along with billions of devices around the world, including cars, Blu-ray players, and mobile devices. The reason why the U.S. government stepped in, along with security experts and anti-malware companies, to warn users is because the zero-day vulnerability was being exploited in the wild by hackers and malware writers.

Experts and researchers have warned that fixing the zero-day exploit "could take two years." Rapid7 chief security officer HD Moore told the Reuters news agency that it could take this long for Oracle to fix the flaws found in Java -- not including any further exploits or vulnerabilities that are found in the meantime.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," he said.

Update at 3:45 p.m. ET: Oracle told ZDNet in a statement: "Oracle has released Security Alert CVE-2013-0422 to address the flaw in Java software integrated with Web browsers. This is a blog that discusses when the bug was reported and actions that Java users need to take to secure their systems."

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

85 comments
Log in or register to join the discussion
  • just as I said

    use android instead or native apps. Oracle ca not be trusted as long as it does not support FOSS.
    LlNUX Geek
    • You do realize that

      Android is based on java too right? I like Android, but seriously, you're trolling, not giving any real advice. Why?
      KBot
      • The problem isn't with Java itself.

        Java is merely the programming language. The problem is Oracle's horrible implementation of a JVM (Java Virtual Machine), on which the Java code (or more specifically, the bytecode compiled from it) runs. No one has clarified whether or not this affects users of OpenJDK (the default JVM on most non-Oracle Linux distros), nor is this believed to affect Dalvik (Android) users.
        northrup
        • Redhat confirms OpenJDK is affected.

          https://bugzilla.redhat.com/show_bug.cgi?id=894172
          Norton_is_Useless
          • Dalvik likely isn't

            As it does not implement a standard JVM and was clean roomed.

            Besides its browser is c based, and the other vector, Google Play, let's you put your own code on the phone, but has to go through curation. That means malware will work as it always has for Android - subtle Trojan payloads built right into the app.
            Mac_PC_FenceSitter
          • Google Play isn't really curated

            Sorry to break it to you, but Google Play isn't exactly curated. Submit an app, and it will be live within a few hours (probably dependent on some periodic batch process). Try submitting an app to Amazon or Barnes & Noble, on the other hand, and it will take days or weeks. That is curation.
            trevor24
          • By that logic, ...

            ... the best curation would lie in keeping it off the market forever (true, but useless).
            radleym
        • While good intentioned, you are horribly wrong.

          The problem IS NOT the JVM, not even close. The problem is Java Applets, and how they are still allowed to run in the web browser (without user permission). Java is a server/desktop programming language and can do some incredibly powerful things, such as manipulate your local filesystem, etc. This is something a web-embedded language SHOULD NOT BE ABLE TO DO!

          Java Applets tried to fix this vulnerbility by "sandboxing" the applets. But the problem is, if someone can break out of the sandbox, then they have a full functional programming language at their disposal... do do nasty things.

          Get Java out of the browser. Plain and simple. For now until Oracle decides to do this for us, at least disable it in your browser!
          Jason Sipula
      • "Based on" is not "the same as"

        @KBot, you are aware that "based on" does NOT mean "same as", right ?

        Being both a Java and Android developer can i tell you its not the same in many low-level and technical ways which aren't significant here.

        The point that Linux Geek was trying to make is this :

        Under Sun Microsystems, Java (as a technology) benefited from being a Community-based platform because there were TONS of experts from all related fields working on it together.

        However, ever since it became a proprietary product owned by Oracle, it has SUFFERED from being limited to only being quality checked by Oracle.

        And that's why we have the situation we have right now.

        Even the turnaround time on fixes is MUCH slower now, because there are only Oracle resources working on it, and they obviously have a lot on their plates at any given time.

        Oracle was "smart" in buying Sun Microsystems cos they got both Java and MySQL in the deal.
        However, they didn't maintain the core ideals that Java was created with, in mind.

        So, as Linux Geek said, if Oracle actually supported FOSS, and allowed Java to be more Community-based we'd have a much higher quality of releases.
        Darkne55
        • Thank you

          for adding some intelligence to the conversation. :-)
          T1Oracle
        • I would agree completely.

          You are quite correct in your assessment. Many products created in the computer industry were quite good in their initial release, especially if they were based on an open source model. What happens frequently is that when the company is bought out the software is made proprietary and redesigned into essentially crapware that isn't worth buying, no matter how good it was originally. The price goes up and quality goes down because the originators had a superbly marketable idea that the buyers cashed in on solely to make a PROFIT, not SOFTWARE.
          ssines60
        • Darkne55 dead on

          I started using Java for a living w/ JDK 1.1.5 (not 1.5, not a typo). 1998 until just recently vulnerabilities w/ the JVM never crossed my mind. But after the Big O got control of Java it has steadily gone downhill. Case-in-point: Sun never called EOL support for the version immediately preceding the current release. It is fairly obvious the Big O is not interested in supporting Java because there is no huge direct monetary reward for supporting Java.

          With companies like the Big O the concept of a developer community is not part of the corporate thinking.

          When is the last time someone read the mission statement for a large corporation that included references to the so-called developer community?
          geezenslaw
    • Use Android

      Exactly. We should all listen to Linux geek and use android instead of Internet Explorer or Firefox or Chrome. This is what I've been telling people for years, recently I uninstalled Internet Explorer on my parents computers and installed Android. They're so much happier now!
      Koopa Troopa
      • How to uninstall IE

        Exactly how do you uninstall Internet Explorer from Windows Machines? IE is a integral part of the OS, and you can't really uninstall all of it. What do you really mean by installing Android? Are you installing Android on a PC?
        luis.gomez
        • Sarcasm

          Sorry, I though the sarcasm was pretty clear. Perhaps I should have labeled it.
          Koopa Troopa
          • Great

            You Got me there...! I believe there's a better way to get rid of all those security issues, just ask the president to activate the infamous "Internet Kill Switch"... That way we all will be safe...
            luis.gomez
          • Perhaps..

            You missed the sarcasm based on personal bias'? Nooo... not you.


            /s
            TechNickle
        • Probably you are new here.

          @bkoop87's statement is sarcasm clearly.
          Ram U
      • What?

        Android is an OS (which could include a native browser); IE is a browser, designed to run in the Windows OS environment. What OS is your parent's PC running? What browser is on your parent's PC? And how does any particular browser make your parents "happier"? Your comments don't make sense. And, this particular article concerns Java RTE, NOT Javascript or related stuff. Yes the Java RTE might be accessed from some web app, but certainly not the same as Javascript!
        randysmith9
        • yes, you have to be clearer with the sarcasm!

          If you look through blog comments, there are a lot of truely clueless entries, along with the inevitable shill/trolls/(and related idiots!). So yes, please be careful with sarcasm, as some might think it's just another clueless post!

          BTW, just follow the instructions in the linked article, and disable Java in the browser.
          randysmith9