Oracle releases fix for Java flaw - but it may not be enough

Posted by Emma Woollacott

Oracle has moved quickly to release a patch for a major security flaw in Java, after the Department of Homeland Security advised users to disable or remove the software.

Last week a researcher revealed that a zero-day security vulnerability within Java 7 Update 10 was being used for identity theft and the installation of malware. Indeed, the vulnerability was included in exploit packs such as Cool EK and Nuclear Pack and made available to third party hackers.

As many as 850 million PCs worldwide were potentially at risk. Mozilla responded quickly by adding Java 7 Updates 9 and 10 as well as Java 6 Updates 37 and 38 to its Firefox add-on block list, and Apple also updated its Xprotect.plist blacklist to disable the Java 7 plug-in on Macs.

Yesterday's update from Oracle, available here, changes default security settings so that unsigned Java applets or Web Start applications can no longer operate automatically, but need to prompt for permission to run first.

But the fix doesn't actually plug all the holes, says Paul Ducklin of security firm Sophos.

"Note that the vulnerabilities Oracle just patched don't apply to standalone Java applications or server-side Java installs. They apply only to applets, which run inside your browser," he says.

"Your browser routinely and unavoidably puts you in harm's way, since it inevitably downloads and attempts to parse, process and display, untrusted content. So, even after updating, I recommend that you turn Java off inside your browser unless you know you need it."

HD Moore, of online security company Rapid7, goes further - telling Reuters that it could take as long as two years for Oracle to fix all the security bugs already identified in the Java used in web browsers.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable," says Moore. "Folks don't really need Java on their desktop."