Oracle’s Java exploit may take years to fix
Security experts are warning people not to run Java in their web browsers. While Oracle has issued a patch for the Java vulnerability, it may take up to two years before a complete fix is made.
On Sunday, January 13, 2013, Oracle issued a patch for the latest Java security problems being called the “zero-day” flaw. Still, experts are warning that it is not satisfactory and Java should be avoided at all costs. The U.S. Department of Homeland Security, US-CERT team agrees, and is asking that people to just avoid all Java plugins on their computers for now.
A January 14 announcement at the DOHS website titled, “Vulnerability Note VU#625617”, warns users that Java 7 Update 10 and earlier versions of Java 7 all contained a vulnerability that will allow a third party to gain unauthorized access.
The Java 7 coding offered hackers the ability to initiate their own code on a victim’s computer, and then gain complete control of the computer. In fact, the flaw was discovered in two vulnerable areas, both of which involved going around the program’s security manager to allow unrestricted access to Java classes.
“This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected,” reads the DOHS US-CERT website alert. “By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.”
The website explicitly warns users to disable all Java in their web browsers immediately, even after Oracle’s 7u11 update. "Unless it is absolutely necessary to run Java in web browsers, disable it even after updating to [Java 7 update 11]," the US-CERT team writes. "This will help mitigate other Java vulnerabilities that may be discovered in the future."
Software security experts said that it might take Oracle up to 2 years to sort out the bugs found in Java’s security management. The writers at the Sophos website, Naked Security, agree with the US-CERT team and said that installing a patch from Oracle wouldn’t be enough to guard one’s computer in the future. “Patching against this security hole isn't the end of the story,” writes Graham Cluley with Naked Security. “You need to seriously consider whether Java has any place in your browser at all.”