Oracle releases Java fix, but security concerns remain

Oracle has released Java 7 update 11, which addresses a Zero Day flaw that enables intruders to install malware on vulnerable systems.

Oracle released Java 7 update 11 (Java 7u11) on Sunday following a warning from the U.S. Computer Emergency Readiness Team (US-CERT) advising users to disable the software due to a serious and previously unknown security vulnerability. Even with the available fix, CERT, part of the Department of Homeland Security, is still advising users to disable Java on their systems unless running the software is "absolutely necessary."

[RELATED: Time to Give Java the Boot?]

The so-called Zero Day flaw was actively being used to secretly install malware on systems of unsuspecting victims and the exploit affected Windows, Mac, and Linux users, according to CERT's security bulletin. The vulnerability affects versions of Java 7, and does not apply to Java 6.

What Java 7u11 does

The biggest change  for users with the newest version of Java is that now all unsigned Java applets and Web start applications are click-to-run. This means you must explicitly authorize Java to run in your browser nearly every time you come across Java on the Web. Java is a cross-platform programming language often used online for Web content and applications such as games and interactive charts. Oracle's vulnerability fix affects only users running Java in their browsers, and does not apply to servers, desktop applications, or embedded Java apps.

Oracle is also calling on users to update their systems as soon as possible. "Due to the severity of these vulnerabilities," Oracle's security alert reads. "Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."

Oracle's latest Java snafu is prompting calls by some to completely rewrite Java from the ground up due to its popularity as a way to attack PCs. The latest Java vulnerability comes close to five months after Oracle released updates to Java for three major security holes in late August, two of which were actively being used by malicious hackers.

You can download the latest Java update from Oracle's Website.  If you'd like to follow CERT's advice and disable Java, Oracle has a step-by-step instruction guide for Windows users. If you need Java and can't turn it off, check out Computerworld's tutorial on how to be as safe as possible with Java.

How to disable Java

If you'd like to disable Java just in a specific browser, here's how to do it:

Chrome: type Chrome://plugins into the address bar and hit enter. Look for the Java plugin and click the "Disable" link.

Firefox: click on the orange Firefox button on the left and select "Add-ons." Then in the page that opens select "Plugins" from the left-hand side. Look for the Java platform plugin and click the disable button.

Internet Explorer: you cannot disable Java for Internet Explorer the same way you can for Chrome and Firefox. Instead, follow Oracle's step-by-step instruction guide to disable Java system-wide.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritybrowsersjavaWeb & communication softwaresoftwareOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts