Despite Java weekend update, security issues remain

Late last week, the US government issued a security bulletin that recommended PC users disable Oracle's Java on their systems, due to an recently discovered exploit that hackers have already been using to launch cyber attacks against Java-running PCs. This weekend, Oracle released a new security update for Java.

Even with this new update, some security experts still believe Java has a number of exploits that could be found by hackers. Reuters reports that HD Moore, the chief security officer for Rapid7, claims that it could take up to two years for Oracle to fix all of the security issues that have been found in Java.

In their blog post about the new Java update, Oracle points out that users can go into the Java Control Panel and adjust the level of security when they run unsigned Java apps inside a web browser. The default setting has been changed from "Medium" to "High." However, Moore thinks that at this point, the only PC users that need to run Java are those who have to use it for business. He added, "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop."

Security firm Kaspersky claims that Java was involved in 50 percent of all PC cyber attacks in 2012. So far, Oracle has yet to comment on the US government's warning on using Java on PCs.

Source: Reuters | Image via Oracle

Report a problem with article
Previous Story

Gartner: Slowing PC sales show users using tablets for secondary devices

Next Story

Analyst: Next Xbox and PS4 consoles could be priced up to $400

29 Comments

Commenting is disabled on this article.

Wonder if all these security issues apply to those of us running OpenJDK. Probably, since Java 7 was based on OpenJDK, but I'm curious since those of us who run Linux still have the "actual" OpenJDK that isn't published by Oracle.

I've run java for years - never ever had an issue. People just need to watch what they click on and sites they visit and you won't have a problem.

sava700 said,
I've run java for years - never ever had an issue. People just need to watch what they click on and sites they visit and you won't have a problem.

*Bullcrap*

Any service that runs unchecked ads can send malicious JAVA code to any unsuspecting computer user on even credible web sites.

sava700 said,
I've run java for years - never ever had an issue. People just need to watch what they click on and sites they visit and you won't have a problem.

Turning off the temp file creation also helps. Before i started doing that i'd see exploits sneak in when i was working on user's pc's. They even had the latest java and they didn't click on anything bad.

You think that is bad. I have a hospital that our doctors visit, and in order for them to sign their documentation they have to access a website that will only work with Java 6.26! If you try to access it via 7.x or anything above 6.26 it fails. It sucks.

I thin k some of you fail to understand that in a corporate environment, (Right or Wrong) there are applications that use Java.. so we have no choice to have it.

what i like to see (unless i missed it) it so only allow Java from an allowed Whitelist of sites.. anything else is just blocked and even to lock it to internal use.

kazgor said,
.....

put a JSR in and see how quick they are to act.
THIS is the problem with Java. A programming language by a committee from a company with very little interest in spending to keep it relevant.
Since Oracle became Java, I stopped using it, evangelizing it, etc.

.NET was built with security in mind, a much better approach. With Java, you have to bolt-on to the underlying security and lets face it, *Nix is not secure beyond ACL for files. Working to a runtime with the lowest common denominator means you'll never achieve security on secure OSes.

Why do you think Microsoft pushed NT onto ARM?

deadonthefloor said,

put a JSR in and see how quick they are to act.
THIS is the problem with Java. A programming language by a committee from a company with very little interest in spending to keep it relevant.
Since Oracle became Java, I stopped using it, evangelizing it, etc.

.NET was built with security in mind, a much better approach. With Java, you have to bolt-on to the underlying security and lets face it, *Nix is not secure beyond ACL for files. Working to a runtime with the lowest common denominator means you'll never achieve security on secure OSes.

Why do you think Microsoft pushed NT onto ARM?

Agree, but why do you think ARM has anything to do with anything?

Windows NT was running on RISC back in 1992, do you REALLY think NT was 'PUSHED' onto ARM 20 years later?

Inside NT (1st or 2nd Edition) - porting the entire NT code base to ARM was less work than moving x86 to x64, although they are essentially the changes and process. NT is written to its own HAL architecture, not x86, nor any other CPU architecture.

kazgor said,
I thin k some of you fail to understand that in a corporate environment, (Right or Wrong) there are applications that use Java.. so we have no choice to have it.

what i like to see (unless i missed it) it so only allow Java from an allowed Whitelist of sites.. anything else is just blocked and even to lock it to internal use.


I agree.

Love all the ridiculous comments about nothing on the net needs Java anymore... Maybe for *you* but for many of us it's a necessary evil.

Indeed.

And look at all the people who play Java based games, notably Minecraft.

I both play some Java games and run Java apps. I'm keeping it disabled in the browser and only enabling it when I need to run a web based Java app; so other than that I don't feel there's much risk to keeping Java on my system.

But again; people who spam "lol java not needed" need to understand its necessity for certain people; not even businesses at that.

ir0nw0lf said,
Love all the ridiculous comments about nothing on the net needs Java anymore... Maybe for *you* but for many of us it's a necessary evil.

Personally I do not use Java. But where I work, I know all too well the number of things that still require it. Though we do keep asking those companies to move to HTML5 instead, and we are considering alternatives for the software whose developers don't appear to be making any progress towards that. Hopefully in a few years we will be able to dump Java completely.

ir0nw0lf said,
Love all the ridiculous comments about nothing on the net needs Java anymore... Maybe for *you* but for many of us it's a necessary evil.
If it needs Java, I don't need it.

DAOWAce said,
I both play some Java games and run Java apps. I'm keeping it disabled in the browser and only enabling it when I need to run a web based Java app; so other than that I don't feel there's much risk to keeping Java on my system.
An alternate solution is to set up a portable Java installation and use it with a portable version of your favourite browser. I also use it for Minecraft and any other Java programs that run outside the browser; this way any and all Java vulnerabilities aren't exposed on the system except when actively using those specific websites/programs.

http://portableapps.com/apps/utilities/java_portable

http://portableapps.com/apps/internet/firefox_portable

LaP said,
Java doesn't harm your computer as long as you disable the java browser plugin.

yet another user who believes they are safe if they disable the browser plugin part of java. You are not safe if java is installed, Period. This also affects Say Flash/Adobe Reader/etc... . if it is not installed then you can't be affected by it.

Same with me. I uninstalled it from all of my computers last weekend. Nothing worth installing needs it, so why bother.

Here's a quick tip on how to update your machine:

Control Panel > Add/Remove programs > Select Java Runtime Environment > Uninstall

You're all set! Your machine is ready to go!

That won't help. Your only disabling one part of java and that's the web browser plugin part. Java can still be exploited like anything else. Another way through is: Your OS itself. Any vulnerabilities found could lead a way into java itself. if you want to be totally secure, you'd need to remove java totally, but that would mean if: You rely on java apps or are using them, then they'd stop working.