Java security fix coming 'shortly'; Up to 850m machines at risk

Java plug-in maker Oracle has said that a fix to a major security vulnerability will be available "shortly," after U.S. Homeland Security warned to disable the software.
Written by Zack Whittaker, Contributor

A day after the U.S. Department of Homeland Security warned computer users to disable or uninstall Java after a serious security vulnerability was discovered by researchers, Oracle has said that a fix will be made available "shortly."

Oracle, which develops the Java plug-in software after the technology giant acquired Sun Microsystems in 2009, did not give a timeframe in which a fix would be released, though it is expected this coming week.

More than 850 million PCs around the world use Java, according to Oracle, and could be at risk if they do not disable or uninstall the plug-in immediately.

While the flaw was found in Java 7, Oracle told sister site CNET in a statement that the flaw does not exist in older versions of the software.

"Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to [Java Development Kit 7]. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices," a spokesperson told CNET.

In a rare move, the U.S. government warned computer users on Friday to disable the software to prevent hackers and malware writers from taking advantage of the zero-day vulnerability -- which is currently being exploited in the wild.

There are fears that the vulnerability in Java 7 could allow unauthorized installation of malicious software on machines, which could then be used to acquire personal information, which could lead to identity theft. There is a strong risk that infected computers could become part of a wider "botnet"; a network of 'zombie' machines that are used to carry out denial-of-service attacks on Web sites and networks.

Apple has updated its XProtect definitions list -- the anti-malware service built into OS X -- in a bid to help mitigate any damage caused by the Java flaw. The Cupertino, Calif.-based technology giant has now disabled the OS X plug-in that runs on some Macs. While Apple no longer develops Java for OS X and no longer includes it with new Mac machines, OS X users can still download it from Oracle. 

Firefox maker Mozilla has also explained that Firefox users may be vulnerable if they are running Java 7. That said, Mozilla security assurance director Michael Coates touted the "Click to Play" security feature in the popular browser, in which users must click to activate the plug-in -- such as Java -- which prevents the plug-in from loading until the user intervenes.

Editorial standards