In the wake of the Department of Homeland Security’s US-CERT (Computer Emergency Readiness Team) cautioning users to disable Java in their browsers, Oracle released a patch that’s supposed to fix the exploit that let attackers execute code on a vulnerable system.
The exploit allowed cybercriminals to use a zero-day vulnerability in Java to stealthily install malware on computers when users visited compromised websites. The way the malicious Java applet worked was by escalating its privileges without requiring code signing.
Anyway, once the patch was downloaded, the problem was solved and everybody lived happily ever after except the bad guys, right? WRONG.
CERT is still recommending users disable Java altogether and, according to KQED public television’s Bay Area news blog “other security experts are warning that Java is so flawed it could take years to make it secure.”
Java, currently installed on about a billion machines, has become the prime target of hackers, who, on finding a vulnerability, pass the information on to other hackers. The goal of these hackers is gaining access to a target’s email, online banking passwords, and anything else stored on his or her computer.
That’s why CERT advised:
Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe vulnerability (CVE-2012-3174). Java 7u11 sets the default Java security settings to “High” so that users will be prompted before running unsigned or self-signed Java applets.
Unless it is absolutely necessary to run Java in web browsers, disable it … even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
The San Jose Mercury News quoted security expert HD Moore as being in basic agreement with CERT:
(It) could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web. The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop.
Before we make the decision to dump Java a slam dunk, you should know that at least one expert believes the patch works just fine. Veteran Java bug hunter Adam Gowdiak told Information Week that Oracle’s fix is sound. “The version released (Sunday) blocks the recent Java 0-day exploit code.”
It seems like the most prudent course of action is to disable Java if it is not vital to your work or play.