U.S. Government Tells Computer Users to Disable Java as Oracle Acknowledges Bug
(WASHINGTON) — The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.
The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.
Experts believe hackers have found a flaw in Java’s coding that creates an opening for criminal activity and other high-tech mischief.
Java is a widely used technical language that allows computer programmers to write a wide variety of Internet applications and other software programs that can run on just about any computer’s operating system.
Oracle Corp. bought Java as part of a $7.3 billion acquisition of the software’s creator, Sun Microsystems, in 2010.
Oracle, meanwhile, early Saturday confirmed the 0-day vulnerability discovered in Java 7 that made headlines this week. Furthermore, the company told Reutersthat “a fix will be available shortly,” but wouldn’t go into more detail as to when exactly that would be.
On Thursday, the US Computer Emergency Readiness Team (US-CERT), which falls under the National Cyber Security Division of the Department of Homeland Security, issued the following vulnerability note:
Overview – Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description – Java 7 Update 10 and earlier contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
Impact – By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
The critical security hole, which allows attackers to execute malicious software on a victim’s machine, was quickly exploited in the wild and made available in common exploit kits. Later the same day, Apple stepped in to block Java 7 on OS X 10.6 and up to protect Mac users.
On Friday, we learned the 0-day code would not have worked if Oracle had properly addressed an old vulnerability, according to Security Explorations, the security firm responsible for identifying most of the latest Java vulnerabilities. Back in late August 2012, the company informed Oracle about the insecure implementation of the Reflection API, and Oracle released a patch for it in October 2012, but the fix wasn’t a complete one.
Also on Friday, Mozilla added all recent versions of Java to its Firefox add-on blocklist. These include Java 7 Update 9, Java 7 Update 10, Java 6 Update 37, and Java 6 Update 38; older Java versions were already blocklisted due to other vulnerabilities.
Once Oracle releases Java 7 Update 11, Mac users and Firefox users will once again be able to use the plugin. Unfortunately, since the company still hasn’t provided a date for when that will be, we recommend that regardless of what browser and operating system you’re using, you should uninstall Java if you don’t need it and disable it otherwise. If you absolutely must use it, do so in a secondary browser.
