Risky Java software: Oracle issues emergency fix to thwart hackers

Days after the US issued a security alert to millions of computer owners to temporarily disable Java, Oracle released an emergency fix to its product and urged it be made as soon as possible.

Paul Sakuma/AP/File
This 2007 file photo shows the Java logo at Sun Microsystems' offices in Menlo Park, Calif. Oracle has released a security update for its Java product, after the US Department of Homeland Security issued an alert warning millions of computer users of a high risk of cyberattack.

Software giant Oracle has released a security update for its widely used Java product, after the US Department of Homeland Security issued an alert warning millions of computer users of a high risk of cyberattack.

The department had encouraged computer users to disable Java, software that frequently runs in the background when computers are browsing the Internet. As of late last week, malicious software "kits" were available for criminals to use in exploiting the Java security gap.

"Due to the severity of these vulnerabilities ... Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible," the company said in announcing the fix.

To implement Oracle's fix, you can visit the Java update or Java download pages. On the update page, see the "update manually" link near the top. Following the instructions may require that you go to your computer's control panel and type "Java" in a search bar, to open a Java control panel. Then you can click a tab labeled "update."

Oracle accompanied its fix with another change: The updated version's default security setting is now "high" rather than "medium," so that users will be asked to sign off case by case on many Java activities. Users will be "prompted before any unsigned Java applet or Java Web Start application is run," Oracle said.

Even after Oracle's move, many experts on computer security say Java software remains vulnerable to hackers.

Hacker-response experts at the group CERT, based at Carnegie Mellon University, continue to view Java as high-risk software, even with the new patch installed.

"Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating" to the newly released Java 7 Update 11, a CERT vulnerability notice says. "This will help mitigate other Java vulnerabilities that may be discovered in the future."
A number of independent Web-security analysts are sounding similar notes of caution.

"It’s nice that Oracle fixed this vulnerability so quickly," writes Internet security blogger Brian Krebs. But "it seems malware writers are constantly finding new zero-day vulnerabilities in Java."

A "zero-day" attack is one that exploits a vulnerability that has not been documented before, so defenders have had zero days to develop security patches.

"Most users who have Java installed can get by just fine without it," Mr. Krebs wrote Sunday, as Oracle unveiled its Java update. "If you need Java for a specific Web site, consider adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser ... with Java enabled to browse only the site(s) that require(s) it."

Some experts on personal-computer security say Java may need to be rewritten from the ground up. Bogdan Botezatu, a threat analyst at Bitdefender, a Romanian-based maker of antivirus software, made this case in an interview with PCWorld published Jan. 12. He said the problem with mature and widely used products like Java and those made by Adobe is that their code has been revised so many times by so many people over the years.

"These products have become so large and have been developed by so many programmers that the makers have most probably lost control over what's in the product," Mr. Botezatu told PCWorld.

The Department of Homeland Security's cyber division, called US-CERT (Computer Emergency Readiness Team) issued the alert about Java late last week. Information about how to disable Java or to limit the software's activity was posted over the weekend by the Monitor and a range of other publications.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.