Patch or not, Java still a risk

Powered by SC Magazine
 

Oracle patch insufficient.

The U.S. Department of Homeland Security has reiterated its calls for computer users to disable Oracle's widely used Java software for surfing the Web, advising that the software still poses risks to users despite the release of Oracle's emergency update over the weekend.

"Unless it is absolutely necessary to run Java in web browsers, disable it," the Department of Homeland Security's Computer Emergency Readiness Team said on Monday in a posting on its website.

The software maker released an update to Java on Sunday, just days after DHS issued its initial warning on the software, saying that bugs in the program were being exploited to commit identity theft and other crimes.

Security experts say that PCs running Java in their browsers could be attacked by criminals seeking to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes.

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.

Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology for critical business purposes.

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.

Oracle officials could not be reached for immediate comment.

(Reporting by Jim Finkle; Editing by M.D. Golan).


Patch or not, Java still a risk
 
 
 
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
Five emerging technologies that will transform financial services
[Blog post] Far out ideas that aren't far off.
 
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  27%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  23%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 928

Vote