Oracle issues Java update to fix latest exploit, but security experts say to still stay away

java_update

You know that latest Java exploit that had the world up in arms, with Firefox and Apple blocking Java and U.S. Department of Homeland Security recommending people disable Java? Yeah, well, Oracle has issued updates to Java to address and plug the exploit.

According to update notes released by Oracle yesterday, Java 7u11, Java 6u37, Java 5u38, and Java 4u40 are the latest versions of Java 7, 6, 5, and 4 (respectively), and these updates contain fixes for the most recent exploit discovered in Java. Anyone and everyone that still has Java installed should update to the latest version to keep safe from this exploit. If you are unsure as to how to update, simply head over to Java’s website and manually download Java 7u11, the latest version. Versions for Windows, Mac OS X, and Linux are available.

Aside from patching the above-referenced exploit, this new update in Java also changes the default security setting from ‘Medium’ to ‘High’. This means, going forward, all unsigned Java applets will be required to gain explicit permission from users before they run.

Even though Oracle has released a timely update to this particular issue, some security experts are still recommending people stay away from Java due to the fact that Java is regularly targeted with new exploits:

  • The U.S. Department of Homeland Security is recommending people disable Java “unless it is absolutely necessary”, even after this new update.
  • Adam Gowdiak (CEO) of Security Explorations doesn’t “dare to tell users that it’s safe to enable Java again”.
  • Sophos’s Chester Wisniewski (senior researcher) recommends people to “remove it” because “most people don’t need it”.
  • Ashraf from dotTech suggests to uninstall or disable Java until it is explicitly needed to access a website or run a program. (See what I did there?)

Seemingly reinforcing the voices to not keep Java on your machine is a stat by Kaspersky that claims 50% of software hacks last year were via Java and a stat by Sophos that says 90% of all web attacks were conducted via Java last year.

If you have yet to uninstall or disable Java and want to know how, read the following guides by dotTech:

[via BBC, Washington Post, ArsTechnica, NakedSecurity]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

10 comments

  1. AFPhys

    @Bruce Fraser:

    I should have been more explicit, I guess. Since Java has capability to control your computer more effectively and completely than HTML, it can be used for more comprehensive programs.

    For example, there are Java programs that will monitor your hard disk. HTML is unlikely to ever be allowed to get that deep into the guts of your system, or hardware.

    Java was not envisioned as merely running web-based applications, but as a rather comprehensive programming language. It has great strengths as well as weaknesses in both areas. It is a good tool to have available.

    Java really took over the spot earlier held by an earlier interpreted programming language, BASIC, due to its superior power and versatility.

    When hanging a picture frame, you COULD pound a small nail nail in the wall with a sledgehammer, but you would be better off with a tack hammer… however, you usually will use a standard claw hammer. It is nice to have all those tools available and know how to use them.

  2. Bruce Fraser

    @AFPhys

    Thanks for your excellent explanation of what Java does. I think I get that: a universal program language, whose products can then be deployed on all kinds of operating systems.

    But what about my second question: “If that function is so inconsequential that my software will work fine without it, then why is it even produced?”
    That question comes from the advice being given out in this article, and many other sources. I’m wondering if the claim “you won’t even notice the difference” (not verbatim, but that’s the gist of it) may be a bit of an exaggeration.

  3. AFPhys

    Ashraf:

    Thank you for doing this excellent piece. I was perusing Oracle’s website late yesterday following up on the Java exploit and noticed their announcement. If you had not put in an article today, I would have pinged you about it.

    Thanks for keeping us up to date so well.

    AFPhys

  4. AFPhys

    @Bruce Fraser:

    Handwaving, not technical or fully accurate explanation, but will probably suffice for you:

    Java is an “interpreted” computer language. Programmers are able to write a program without worrying at all about what type of computer it is going to run on. They can write a program to “get temperature data from website xyz.com for station abc and day 123 then graph it in a new window using format αβγ” [of course using appropriate commands]. The Java processor, which IS specific to your computer, takes that relatively clear-language program, and “interprets” those commands, translating them into memory locations and specific instructions for YOUR computer and hardware, be it Mac, PC, Solaris, C64 with low tech graphics or high tech, etc

    This simplifies the programmer’s life. It shifts the burden to the computer, and the Java interpreter, to figure out how to handle those commands. The interpreter also has to guard against the programmer willfully or unwillfully messing up your computer (deleting your hard drive, corrupting your data or operating system, etc.) Guarding against the “unwillfully messing up” is relatively simple. Guarding against a nefarious programmer willfully doing unwanted things (and surreptitiously) is much more difficult.

    The more it has to do, the more time it takes the interpreter to do it. That means an interpreted program (written in Java, HTML, etc.) is much slower than a compiled program written in C, C++, Fortran, etc. Its strength is that it can be ported from one computer to a different one much more easily, as long as the new one has a Java interpreter available.

    HTML has had more and more Java-like capabilities built in as time has gone on, and much of the need for Java has dissipated in typical web applications. However, Java is capable of much greater control of your computer than HTML, and therefore certain applications which can be written with Java are not able to be written in HTML. That means some people who wish to run those programs will need to use Java, or have them re-written in some other language. If you right click and “view source” on a typical web page, you will see what HTML looks like – Java looks quite a bit the same.

    Rather than adding more to this, I’ll halt here and await questions or comments.

  5. Bruce Fraser

    Can someone explain, or point me to a website with a simple explanation:
    1) Just what does Java do?
    2) If that function is so inconsequential that my software will work fine without it, then why is it even produced?

  6. Herman Hermit

    As usual, an easy-to-understand article to everybody. One highlight this time was the list of “some security experts recommending” people. I missed it when first reading but fortunately I returned. Excellent!