Topic: Security

Homeland Security warns to disable Java amid zero-day flaw

Summary: The U.S. Department of Homeland Security is the latest body to warn users to disable Java software amid escalating concerns over a serious, exploitable vulnerability.

By Zack Whittaker for Zero Day | January 11, 2013 -- 16:41 GMT (08:41 PST)

Follow @zackwhittaker

The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.

Read this

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Java users should disable or uninstall Java immediately to mitigate any damage.

Java is used by hundreds of millions of Windows, Mac and Linux machines -- along with mobile devices and embedded systems -- around the world to access interactive content or Web applications and services.

The latest flaw, as earlier reported by ZDNet, is currently being exploited in the wild, security experts have warned. Alienvault Labs have reproduced and verified claims that the new zero-day that exploits a vulnerability in Java 7, according to security expert Brian Krebs.

java-zero-day — Verifying the flaw, security researchers were able to trick the malicious Java applet to execute the Windows calculator. Credit: Alienvault Labs

It's not uncommon for the U.S. government -- or any other government agency -- to advise against security threats, but rarely does an agency actively warn to disable software; rather they offer advice to mitigate such threats or potential attacks, such as updating software on their systems.

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

186 comments

Log in or register to join the discussion

And this is not front page news on every media outlet because....?

This makes Y2K look like a church social.

bobjones2007
11 January, 2013 17:19

Reply 3 Votes
- Because at this point it's only people who dont care about security that
  
  are still using java. It's not secure enough for commerce and it's not reliable enough for anything mission critical. Add in it's low perf compared to .NET and it's not scalable enough for the cloud, it takes twice as many boxes to service the same load at the same sla. It's only good for teaching kids their first programming language at this point. I hope the teachers are cautioning them that it's just for learning and not suitable for the real world.
  
  Johnny Vegas
  11 January, 2013 17:42
  
  Reply 4 Votes
  - Agreed
    
    Java is over-hyped from very start.
    I will put WPF/WCF from Microsoft as another example of hyped technology - slow and too complex to use.
    
    FADS_z
    11 January, 2013 18:30
    
    Reply 4 Votes
    - Too complex?
      
      Only to the brain dead.
      
      jackbond
      13 January, 2013 19:40
      
      Reply 1 Vote
  - Java??
    
    I haven't heard that name in a very long time. People are still using it? I thought it died out with the last generation companies (RealPlayer, AOL, CompuServ, Lycos, Napster, Netscape, WinAmp, etc)
    
    I haven't run across anything that requires it for many, many years. Why would you install it? Is it bundled with something popular?
    
    scophi
    11 January, 2013 21:41
    
    Reply 1 Vote
    - Haven't seen Java?
      
      Obviously you don't get on the internet much. Most websites use Java Script.
      
      lpengrg
      11 January, 2013 23:48
      
      Reply 1 Vote
      - Java vs. JavaScript
        
        Don't comment if you don't know what you are talking about! Java and JavaScript are two completely different things! Get informed before shouting to the world!
        
        mmo_z
        11 January, 2013 23:55
        
        Reply 6 Votes
      - Chill out.
        
        Watch out we have the hippest nerd on net here!
        
        Josh Desmond
        14 January, 2013 21:22
        
        Reply Vote
      - the Java alert from HSD
        
        I dis-enabled Java and now I cannot use FB and several other sites where I interact. I get a message saying Java needs to be enabled. Well... now what?
        
        Rivergull
        12 January, 2013 05:47
        
        Reply Vote
      - FB doesn't require Java
        
        I do not have Java installed on my machine and have never had a problem with any social network.
        
        If you're having problems, there's something else at work.
        
        (Did you disable JavaScript by mistake? That could indeed cause problems.)
        
        scophi
        12 January, 2013 06:44
        
        Reply 1 Vote
      - FB
        
        I disabled Java and then shared the article on FB to notify all my friends. I had no problem.
        
        Michael Cleary
        13 January, 2013 15:24
        
        Reply Vote
    - Education environments
      
      I know at least one major virtual learning environment depends on Java for some of its main functionality. It is widely used in both UK and US
      
      cymru999
      11 January, 2013 23:48
      
      Reply Vote
      - my apologies to the VLE it uses JavaScript
        
        I think that the vast majority of non technical people reading this treat the two things as synonymous when they are not. The problem is exacerbated by sites which say they use Java when they mean JavaScript there needs IMHO to be clearer name distinction - I am worried that a lot of people will panic an turn off everything with "Java" in it, effectively disabling all sorts of things
        
        cymru999
        11 January, 2013 23:54
        
        Reply 2 Votes
    - JAVA... The Living Dead
      
      Java is only the most widely used language in the world. Just because you never see the backend of a web application, does not mean it does not exist.
      http://spectrum.ieee.org/at-work/tech-careers/the-top-10-programming-languages
      http://www.siliconindia.com/shownews/10_Most_Popular_Programming_Languages-nid-106545-cid-2.html
      http://www.freerepublic.com/focus/f-chat/2880277/posts
      
      Most web servers are running some version of a JVM. Write once, run anywhere.
      
      MichaelNorris51
      12 January, 2013 01:11
      
      Reply 3 Votes
      - Thank You!
        
        I was going to point out the same thing: just like the difference between "Java" and "Javascript," there is a difference between the circumstances of the exploitable Java and what most Java is written for. Java applets, the stuff that can run in your browser when you visit a website, are completely different from Java applications (J2EE/JSP, Servlets, and Applications). But it is Java applications, as you point out, that is pretty much used everywhere--and that has a close to zero chance of being exploited by this bug.
        
        daiichi
        12 January, 2013 02:34
        
        Reply 3 Votes
    - Java
      
      Life must present you with an unending stream of events you don't expect because of your narrow view and limited world knowledge. Yes, JAVA is alive and used by thousands upon thousands of websites.
      
      darkmoonman
      12 January, 2013 01:47
      
      Reply 3 Votes
      - Billions and Billions
        
        Not to mention billions of other devices around the world, such as cell phones and BluRay players and your toaster and your fridge probably by now.
        
        Johnny Bryla
        12 January, 2013 05:47
        
        Reply Vote
      - Didn't follow that
        
        Not sure what you meant by the first part of your comment. Where did you get narrow view and limited world knowledge from?
        
        Anyway, my point was that I have never seen a website ask for it, nor a program installation require it. Can you provide me with a mainstream example or two from your thousands of examples?
        
        scophi
        12 January, 2013 05:50
        
        Reply Vote
      - OpenOffice and LibreOffice
        
        They both require Java in order to be able to use some features.
        You are warned about "Java runtime is required" when installing the suite if no Java RT is present.
        
        didier.m.rousseau@...
        12 January, 2013 07:26
        
        Reply Vote
      - Thank you!
        
        Finally, someone provides me with a useful example of what an end-user might need Java for. Thank you, Mr Rousseau.
        
        I was not aware that Open/LibreOffice required Java. Is it still usable without Java installed?
        
        scophi
        13 January, 2013 07:23
        
        Reply Vote