Homeland Security warns to disable Java amid zero-day flaw

Homeland Security warns to disable Java amid zero-day flaw

Summary: The U.S. Department of Homeland Security is the latest body to warn users to disable Java software amid escalating concerns over a serious, exploitable vulnerability.

SHARE:
186

The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.

Read this

How to disable Java in your browser on Windows, Mac

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Java users should disable or uninstall Java immediately to mitigate any damage.

Java is used by hundreds of millions of Windows, Mac and Linux machines -- along with mobile devices and embedded systems -- around the world to access interactive content or Web applications and services. 

The latest flaw, as earlier reported by ZDNet, is currently being exploited in the wild, security experts have warned. Alienvault Labs have reproduced and verified claims that the new zero-day that exploits a vulnerability in Java 7, according to security expert Brian Krebs.

java-zero-day
Verifying the flaw, security researchers were able to trick the malicious Java applet to execute the Windows calculator. Credit: Alienvault Labs

It's not uncommon for the U.S. government -- or any other government agency -- to advise against security threats, but rarely does an agency actively warn to disable software; rather they offer advice to mitigate such threats or potential attacks, such as updating software on their systems.

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

186 comments
Log in or register to join the discussion
  • And this is not front page news on every media outlet because....?

    This makes Y2K look like a church social.
    bobjones2007
    • Because at this point it's only people who dont care about security that

      are still using java. It's not secure enough for commerce and it's not reliable enough for anything mission critical. Add in it's low perf compared to .NET and it's not scalable enough for the cloud, it takes twice as many boxes to service the same load at the same sla. It's only good for teaching kids their first programming language at this point. I hope the teachers are cautioning them that it's just for learning and not suitable for the real world.
      Johnny Vegas
      • Agreed

        Java is over-hyped from very start.
        I will put WPF/WCF from Microsoft as another example of hyped technology - slow and too complex to use.
        FADS_z
        • Too complex?

          Only to the brain dead.
          jackbond
      • Java??

        I haven't heard that name in a very long time. People are still using it? I thought it died out with the last generation companies (RealPlayer, AOL, CompuServ, Lycos, Napster, Netscape, WinAmp, etc)

        I haven't run across anything that requires it for many, many years. Why would you install it? Is it bundled with something popular?
        scophi
        • Haven't seen Java?

          Obviously you don't get on the internet much. Most websites use Java Script.
          lpengrg
          • Java vs. JavaScript

            Don't comment if you don't know what you are talking about! Java and JavaScript are two completely different things! Get informed before shouting to the world!
            mmo_z
          • Chill out.

            Watch out we have the hippest nerd on net here!
            Josh Desmond
          • the Java alert from HSD

            I dis-enabled Java and now I cannot use FB and several other sites where I interact. I get a message saying Java needs to be enabled. Well... now what?
            Rivergull
          • FB doesn't require Java

            I do not have Java installed on my machine and have never had a problem with any social network.

            If you're having problems, there's something else at work.

            (Did you disable JavaScript by mistake? That could indeed cause problems.)
            scophi
          • FB

            I disabled Java and then shared the article on FB to notify all my friends. I had no problem.
            Michael Cleary
        • Education environments

          I know at least one major virtual learning environment depends on Java for some of its main functionality. It is widely used in both UK and US
          cymru999
          • my apologies to the VLE it uses JavaScript

            I think that the vast majority of non technical people reading this treat the two things as synonymous when they are not. The problem is exacerbated by sites which say they use Java when they mean JavaScript there needs IMHO to be clearer name distinction - I am worried that a lot of people will panic an turn off everything with "Java" in it, effectively disabling all sorts of things
            cymru999
        • JAVA... The Living Dead

          Java is only the most widely used language in the world. Just because you never see the backend of a web application, does not mean it does not exist.
          http://spectrum.ieee.org/at-work/tech-careers/the-top-10-programming-languages
          http://www.siliconindia.com/shownews/10_Most_Popular_Programming_Languages-nid-106545-cid-2.html
          http://www.freerepublic.com/focus/f-chat/2880277/posts

          Most web servers are running some version of a JVM. Write once, run anywhere.
          MichaelNorris51
          • Thank You!

            I was going to point out the same thing: just like the difference between "Java" and "Javascript," there is a difference between the circumstances of the exploitable Java and what most Java is written for. Java applets, the stuff that can run in your browser when you visit a website, are completely different from Java applications (J2EE/JSP, Servlets, and Applications). But it is Java applications, as you point out, that is pretty much used everywhere--and that has a close to zero chance of being exploited by this bug.
            daiichi
        • Java

          Life must present you with an unending stream of events you don't expect because of your narrow view and limited world knowledge. Yes, JAVA is alive and used by thousands upon thousands of websites.
          Liam SWz
          • Billions and Billions

            Not to mention billions of other devices around the world, such as cell phones and BluRay players and your toaster and your fridge probably by now.
            Johnny Bryla
          • Didn't follow that

            Not sure what you meant by the first part of your comment. Where did you get narrow view and limited world knowledge from?

            Anyway, my point was that I have never seen a website ask for it, nor a program installation require it. Can you provide me with a mainstream example or two from your thousands of examples?
            scophi
          • OpenOffice and LibreOffice

            They both require Java in order to be able to use some features.
            You are warned about "Java runtime is required" when installing the suite if no Java RT is present.
            didier.m.rousseau
          • Thank you!

            Finally, someone provides me with a useful example of what an end-user might need Java for. Thank you, Mr Rousseau.

            I was not aware that Open/LibreOffice required Java. Is it still usable without Java installed?
            scophi