Homeland Security warns Java still poses risks after security fix

UPDATED: After a security fix to patch Java 7 from a massive security vulnerability, the U.S. Department of Homeland Security has reiterated its warning that Java still poses risks.
Written by Zack Whittaker, Contributor

The U.S. Department of Homeland Security has reiterated its warning to Java users that the widely used Web plug-in still poses risks for Internet users, even after Oracle patched the software to prevent hackers from exploiting a zero-day vulnerability.

It comes as some security experts are warning that the new software -- Java 7 (Update 11), which was released on Sunday -- may not actually protect against hackers attempting to remotely execute code on user machines.

This code, security experts warn, could be used to acquire personal information and steal identities, or subscribe machines to 'botnets,' which can then be used to hit networks and Web sites with denial-of-service attacks.

Homeland Security said in an updated note that it is reiterating its advice it gave last week, in spite of Oracle updating the Java software to include a security fix that would prevent machines from being attacked by hackers.

The said: "Unless it is absolutely necessary to run Java in Web browsers, disable it [...] even after updating to [Update 11]."

Homeland Security warned on Friday that Internet users should disable the Web plug-in as soon as possible, to prevent being attacked by hackers or malware. While it's not uncommon for a government department to notify users of threats, advising users to actively disable or uninstall software is rare.

Java is used in more than 850 million PCs and Macs, along with billions of devices around the world, including cars, Blu-ray players, and mobile devices. The reason why the U.S. government stepped in, along with security experts and anti-malware companies, to warn users is because the zero-day vulnerability was being exploited in the wild by hackers and malware writers.

Experts and researchers have warned that fixing the zero-day exploit "could take two years." Rapid7 chief security officer HD Moore told the Reuters news agency that it could take this long for Oracle to fix the flaws found in Java -- not including any further exploits or vulnerabilities that are found in the meantime.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," he said.

Update at 3:45 p.m. ET: Oracle told ZDNet in a statement: "Oracle has released Security Alert CVE-2013-0422 to address the flaw in Java software integrated with Web browsers. This is a blog that discusses when the bug was reported and actions that Java users need to take to secure their systems."

Editorial standards