Oracle puts JAVA users at risk
January 14, 2013 Leave a comment
Recently there have been multiple very severe security problems found in Oracle Java.
For additional background there are a range of posts online addressing specific details of the exploits and vulnerabilities:
- US Government Recommends users Disable JAVA
- What you need to know about the JAVA Exploits
- Despite Oracle patches JAVA still compromised
- JAVA fails to restrict access to privileged code
This is not just another extremely dextrous hacker trick that would be limited in its impact. It is a fundamental failure by Oracle the new owners of JAVA to address fundamental security flaws in JAVA that have led to widespread exploitation.
The worst part of this is Oracle have failed the JAVA community by skirting around the reality of the situation, Quote Java security expert Adam Gowdiak, ‘the update from Oracle leaves unfixed several critical security flaws’.
Because of the severity of this issue and the poor job Oracle has done, it is critical awareness amongst users is proactively promoted with the recommendation that appropriate action is taken to protect themselves and their companies.
The advice is to Uninstall JAVA if you don’t have a need for JAVA, and if you are unsure that you need it uninstall it to be safe. If in the future users find it is needed, then at least the latest version can be downloaded and easily installed and hopefully by then the problems resolved so the version of JAVA will be secure.
You can uninstall JAVA from the Windows Control Panel ‘Programs and Features’ (Vista, Windows 7 and 8) or the ‘Add / Remove Programs’ in Windows XP.
If JAVA is perceived to be needed for some reason, firstly check if there is an alternative method of accessing the content. If not and JAVA has to be installed then the advice is to make sure you are running the latest version which can be easily downloaded from JAVA.com this does not guarantee security, in fact the current version IS NOT SECURE.
The understanding is therefore even after updating to the latest version, you and your company are still exposed. To mitigate this disable JAVA web browser support when it is not explicitly required, only enabling it for sites you explicitly trust, then immediately disable Java support again once you are finished. To disable web browser support for Java on a Windows PC do this:
- Start – Control Panel – Open the Java icon
- Click on the security panel and uncheck the box for “enable Java content in the browser.”
- This will disable Java in your web browsers. You can manually re-enable it if you need it on a specific site.
Once Oracle addresses the current security holes in JAVA, it should be safe to re-enable Java support IF you require JAVA. That having been said it would be advisable for organisations to consider alternative technologies to JAVA that are better supported and in today’s modern multi-device world offer greater flexibility.
Perhaps this will see some sanity come back into decisions by the likes of HP, Dell and Cisco to continue building client management interfaces in JAVA.