Sign in with
Sign up | Sign in

US-CERT Still Warns of Critical Java Flaw

By - Source: US-CERT | B 12 comments

Oracle may have patched a critical flaw in Java over the weekend, but security experts do not believe that Oracle has done enough to alleviate all concerns.

The United States Computer Emergency Readiness Team (US-CERT) acknowledged the availability of the patch, but recommends not to enable Java support anyway.

In a rather unusual note, the organization wrote:

"Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future."

Even in cases where users and network administrators are unable to block Java, the US-CERT said that access to Java applets should be restricted, for example, via proxy server rules and whitelisting files.

Oracle may be playing, to a certain degree, with its credibility and the trust users can put into Java. Reuters quoted security researcher Adam Gowdiak stating that there are still unpatched flaws in java, including one that was reported back in September of last year.

"We don't dare to tell users that it's safe to enable Java again," Gowdiak told Reuters.

According to Kaspersky Labs, half of all cyber attacks in 2012 exploited security holes in Java.

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 1 Hide
    hoofhearted , January 16, 2013 10:34 PM
    This is the "invokeWithArguments" bug.
  • 1 Hide
    A Bad Day , January 16, 2013 10:43 PM
    Java: Great programming language because it allows easy porting to multiple platforms instead of recompiling and risking additional bugs. Plus it also allows indie teams to cover more platforms with less cost.

    Oracle's maintenance for Java's compiler: Missing in action
  • 0 Hide
    Assmar , January 16, 2013 10:55 PM
    Maybe it's because I don't do much on my PC but surfing, movie watching/music listening, and gaming; but I uninstalled java months ago and have had 0 problems without it.
  • Display all 12 comments.
  • 3 Hide
    Anomalyx , January 16, 2013 10:56 PM
    Quote:
    This will help mitigate other Java vulnerabilities that may be discovered in the future.

    Perhaps we should also uninstall web browsers, as this will help mitigate other web browser vulnerabilities that may be discovered in the future.

    If anyone hasn't caught onto my point... "You should disable [insert feature here] to mitigate any [feature] vulnerabilities that may occur in the future"
    And these guys get paid to say it?

    If you want Java to be guaranteed safe, disable the web plugin and don't be an idiot about downloading random executables.
  • 2 Hide
    stygian , January 16, 2013 11:11 PM
    What'd you expect? Compared to Oracle's other business Java revenue is pocket change. It's well known that Oracle just bought Sun to keep Java from going to IBM (http://money.cnn.com/2009/04/20/technology/Oracle_Sun/) since at the time Oracle had baked so much of Java into their products. Oracle has demonstrated over and over that Java is a 2nd class citizen because of it being open sourced (sorta) by Sun (see all the Oracle database development platforms that don't use Java and the fact that LibreOffice is trying to move away from Java). The whole "write once, run anywhere" was good marketing but never worked out exactly flawlessly. Add on top of all that the fact that every black hat from here to China was able to look into every nook and cranny of the JVM to find every flaw that Oracle had minimal motivation to fix. As an aside, I wonder what effect this will have on the adoption of C#/.NET in the enterprise space?
  • 2 Hide
    sun-devil99 , January 17, 2013 12:37 AM
    Quote:
    According to Kaspersky Labs, half of all cyber attacks in 2012 exploited security holes in Java.


    and the other half are from Flash...
  • 1 Hide
    A Bad Day , January 17, 2013 12:39 AM
    Shorten links. Off topic posts. Hm...
  • 2 Hide
    A Bad Day , January 17, 2013 12:40 AM
    sun-devil99and the other half are from Flash...


    I disagree. Users' and server/website admins' errors take a huge share of the attacks.
  • 0 Hide
    Camikazi , January 17, 2013 1:19 AM
    A Bad DayShorten links. Off topic posts. Hm...

    Seems the shortened links are the new "my cousin made $8000 working on their computer" spam posts.
  • 2 Hide
    rwinches , January 17, 2013 2:01 AM
    My Chrome always asks if a site wants to run java and gives a one-time/always choice.
    That works for me.
  • 0 Hide
    digiex , January 17, 2013 3:12 AM
    In said in the flash screen if you install Java that it is used in billions of devices. OMG, that's billions of devices with security hole in it.

    Maybe you want to shift to chocolates or plain milk instead of coffee.
  • 0 Hide
    gtvr , January 17, 2013 12:01 PM
    Yeah, but the embedded Java doesn't necessarily access outside resources, so I'm not sure that makes it vulnerable just because of the language.