Oracle issues Java update to fix latest exploit, but security experts say to still stay away

java_update

You know that latest Java exploit that had the world up in arms, with Firefox and Apple blocking Java and U.S. Department of Homeland Security recommending people disable Java? Yeah, well, Oracle has issued updates to Java to address and plug the exploit.

According to update notes released by Oracle yesterday, Java 7u11, Java 6u37, Java 5u38, and Java 4u40 are the latest versions of Java 7, 6, 5, and 4 (respectively), and these updates contain fixes for the most recent exploit discovered in Java. Anyone and everyone that still has Java installed should update to the latest version to keep safe from this exploit. If you are unsure as to how to update, simply head over to Java’s website and manually download Java 7u11, the latest version. Versions for Windows, Mac OS X, and Linux are available.

Aside from patching the above-referenced exploit, this new update in Java also changes the default security setting from ‘Medium’ to ‘High’. This means, going forward, all unsigned Java applets will be required to gain explicit permission from users before they run.

Even though Oracle has released a timely update to this particular issue, some security experts are still recommending people stay away from Java due to the fact that Java is regularly targeted with new exploits:

  • The U.S. Department of Homeland Security is recommending people disable Java “unless it is absolutely necessary”, even after this new update.
  • Adam Gowdiak (CEO) of Security Explorations doesn’t “dare to tell users that it’s safe to enable Java again”.
  • Sophos’s Chester Wisniewski (senior researcher) recommends people to “remove it” because “most people don’t need it”.
  • Ashraf from dotTech suggests to uninstall or disable Java until it is explicitly needed to access a website or run a program. (See what I did there?)

Seemingly reinforcing the voices to not keep Java on your machine is a stat by Kaspersky that claims 50% of software hacks last year were via Java and a stat by Sophos that says 90% of all web attacks were conducted via Java last year.

If you have yet to uninstall or disable Java and want to know how, read the following guides by dotTech:

[via BBC, Washington Post, ArsTechnica, NakedSecurity]

Related Posts