Security experts on Java: Fixing zero-day exploit could take 'two years'

Amid growing concern over Java's security, Oracle released an emergency fix over the weekend. However, security professionals say that this measure doesn't go far enough.
Written by Charlie Osborne, Contributing Writer

Oracle, distributor of Sun's Java software, has not had the best weekend.

java fix not good enough security exploits research oracle update

First came the discovery of chinks in the computer language's armor last week, after researcher "kafeine" pointed out a number of websites that were using a zero-day security vulnerability within Java 7 Update 10, which could result in the installation of malware, identity theft or used to rope personal computers in to becoming unauthorized botnets -- which can then be used in denial-of-service attacks against other sites.

The problem was severe enough for the firm to release an emergency patch -- Java 7 Update 11 -- over the weekend. However, security experts have warned that the changes do not go far enough.

Security researcher Adam Gowdiak from Security Explorations has been keeping an eye on the software flaws in Java over the past year. Once Gowdiak analyzed the latest update to Java, he found that the patch still leaves a number of "critical security flaws," according to Reuters. This statement, mirrored by AlienVault Labs' Jaime Blasco who branded Oracle's offering as a "mess," was later reinforced by the firm's recommendation against using the software.

"We don't dare to tell users that it's safe to enable Java again," Gowdiak commented.

However, it is not only the general public which needs to sit up and take note. When it comes down to businesses, a number of security firms are also recommending immediate action to disable the software. For the average person, the possibility of identity theft or malware is horrendous, but it could cost firms far more over the long term. 

Speaking to the news agency, chief security officer of business security company Rapid7 HD Moore estimated that it could take up to two years for Oracle to fix the flaws found in the version of Java used to browse the Internet -- not taking into consideration any further exploits that are developed within this timeframe. 

It seems like something of a lost cause, as he advised:

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop."

Due to the widespread use of Java software, usually found as a plug-in on Internet browsers including Internet Explorer and Firefox, the security flaw is believed to have the potential to place over 850 million PCs at risk worldwide. It has not only been the concern of security experts, but the U.S. Department of Homeland Security has also advised that PC owners immediately disable and stop using the software. Apple has also taken steps to disable the OS X plugin which runs Java on some Macs, as well as updating the anti-malware definitions list XProtect.

The DHS' Computer Emergency Readiness Team (CERT) commented:

"We are currently unaware of a practical solution to this problem. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Not sure how to disable Java? We've created a step-by-step guide for you.

Related: Java allows 'open hunting season' for hackers, experts find | How to disable Java in your browser on Windows, Mac | Java security fix coming 'shortly'; Up to 850m machines at risk | Homeland Security warns to disable Java amid zero-day flaw

Editorial standards