Patch or not, Java still a risk

Powered by SC Magazine
 

Oracle patch insufficient.

The U.S. Department of Homeland Security has reiterated its calls for computer users to disable Oracle's widely used Java software for surfing the Web, advising that the software still poses risks to users despite the release of Oracle's emergency update over the weekend.

"Unless it is absolutely necessary to run Java in web browsers, disable it," the Department of Homeland Security's Computer Emergency Readiness Team said on Monday in a posting on its website.

The software maker released an update to Java on Sunday, just days after DHS issued its initial warning on the software, saying that bugs in the program were being exploited to commit identity theft and other crimes.

Security experts say that PCs running Java in their browsers could be attacked by criminals seeking to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes.

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.

Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology for critical business purposes.

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.

Oracle officials could not be reached for immediate comment.

(Reporting by Jim Finkle; Editing by M.D. Golan).


Patch or not, Java still a risk
 
 
 
Top Stories
How hard do you hack back?
[Blog post] Taking the offensive could have unintended consequences.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
The big winners from Defence’s back-office IT refresh
Updated: The full list of subcontractors.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1019

Vote