Oracle releases Java fix, but security concerns remain

Oracle has released Java 7 update 11, which addresses a Zero Day flaw that enables intruders to install malware on vulnerable systems.
  • Ian Paul (PC World (US online))
  • — 14 January, 2013 19:30

Oracle released Java 7 update 11 (Java 7u11) on Sunday following a warning from the U.S. Computer Emergency Readiness Team (US-CERT) advising users to disable the software due to a serious and previously unknown security vulnerability. Even with the available fix, CERT, part of the Department of Homeland Security, is still advising users to disable Java on their systems unless running the software is "absolutely necessary."

[RELATED: Time to Give Java the Boot?]

The so-called Zero Day flaw was actively being used to secretly install malware on systems of unsuspecting victims and the exploit affected Windows, Mac, and Linux users, according to CERT's security bulletin. The vulnerability affects versions of Java 7, and does not apply to Java 6.

What Java 7u11 does

The biggest change  for users with the newest version of Java is that now all unsigned Java applets and Web start applications are click-to-run. This means you must explicitly authorize Java to run in your browser nearly every time you come across Java on the Web. Java is a cross-platform programming language often used online for Web content and applications such as games and interactive charts. Oracle's vulnerability fix affects only users running Java in their browsers, and does not apply to servers, desktop applications, or embedded Java apps.

Oracle is also calling on users to update their systems as soon as possible. "Due to the severity of these vulnerabilities," Oracle's security alert reads. "Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."

Oracle's latest Java snafu is prompting calls by some to completely rewrite Java from the ground up due to its popularity as a way to attack PCs. The latest Java vulnerability comes close to five months after Oracle released updates to Java for three major security holes in late August, two of which were actively being used by malicious hackers.

You can download the latest Java update from Oracle's Website.  If you'd like to follow CERT's advice and disable Java, Oracle has a step-by-step instruction guide for Windows users. If you need Java and can't turn it off, check out Computerworld's tutorial on how to be as safe as possible with Java.

How to disable Java

If you'd like to disable Java just in a specific browser, here's how to do it:

Chrome: type Chrome://plugins into the address bar and hit enter. Look for the Java plugin and click the "Disable" link.

Firefox: click on the orange Firefox button on the left and select "Add-ons." Then in the page that opens select "Plugins" from the left-hand side. Look for the Java platform plugin and click the disable button.

Internet Explorer: you cannot disable Java for Internet Explorer the same way you can for Chrome and Firefox. Instead, follow Oracle's step-by-step instruction guide to disable Java system-wide.

Tags: applications, security, java, browsers, software, Web & communication software, Oracle

Review: File Recovery Tools

MORE IN Data Security
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

SECURE Email Gateway

Clearswift SECURE Email Gateway is an effective and resilient email gateway for 50 to 50,000 users.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.