clock menu more-arrow no yes

Filed under:

Oracle updates Java to fix security exploits already in the wild, but safety is not guaranteed

New, 18 comments
Java logo
Java logo

Although it seems like stories about security holes in browser add-ons are a dime a dozen, the last one was big enough for the US Department of Homeland Security to issue an alert. Oracle's Java is the culprit this time, with a security hole that could allow any malicious website to install software without the user's knowledge. The issue was apparently being actively exploited, so yesterday the Computer Emergency Readiness Team (US-CERT) told users that it recommends disabling Java.

Today, Oracle issued an emergency patch that it claims resolves the issue. It also changed the default security setting for Java to "High," which finally means that most users will need to approve Java applets before they run. Oracle recommends that the patch be applied ASAP, since "some exploits are available in various hacking tools," which means that it doesn't take a master-hacker to create something that could potentially be harmful to your computer.

"We don't dare to tell users that it's safe to enable Java again."

The security who originally discovered the issue, Adam Godwiak, told Reuters that he didn't believe that this latest patch is enough for users to let down their guard, "We don't dare to tell users that it's safe to enable Java again." Until and unless the situation becomes clearer, the best solution is to simply disable Java altogether and only enable it on a case-by-case basis when it's needed. Oracle itself just so happened to mention that it's now easier to disable Java in the latest version.