Patch or not, Java still a risk

Powered by SC Magazine
 

Oracle patch insufficient.

The U.S. Department of Homeland Security has reiterated its calls for computer users to disable Oracle's widely used Java software for surfing the Web, advising that the software still poses risks to users despite the release of Oracle's emergency update over the weekend.

"Unless it is absolutely necessary to run Java in web browsers, disable it," the Department of Homeland Security's Computer Emergency Readiness Team said on Monday in a posting on its website.

The software maker released an update to Java on Sunday, just days after DHS issued its initial warning on the software, saying that bugs in the program were being exploited to commit identity theft and other crimes.

Security experts say that PCs running Java in their browsers could be attacked by criminals seeking to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes.

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.

Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology for critical business purposes.

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.

Oracle officials could not be reached for immediate comment.

(Reporting by Jim Finkle; Editing by M.D. Golan).


Patch or not, Java still a risk
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1770

Vote
Do you support the abolition of the Office of the Information Commissioner?