Even after Oracle fixed a serious security flaw in its Java software on Sunday, the Department of Homeland Security warned that the fix was not sufficient and urged users to disable Java on their Web browsers.
“Unless it is absolutely necessary to run Java in Web browsers, disable it,” the agency said in an updated alert on Monday. “This will help mitigate other Java vulnerabilities that may be discovered in the future.”
Oracle, which develops Java software, was forced to fix the security hole Sunday after the department issued this rare alert late Thursday: “Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered.”
Oracle has not answered repeated requests for comment.
Java, a widely used programming language, is installed on more than three billion devices running under various operating systems and has long been dogged by security problems. In a report, Kaspersky Lab, a Russian antivirus company, said that half of all cyberattacks last year were caused by Oracle’s Java software.
“While we called 2011 the year of the vulnerability, 2012 can justifiably be described as the year of the Java vulnerability, with half of all detected exploit-based attacks targeting vulnerabilities in Oracle Java,” Kaspersky Lab said in its security bulletin.
Although hackers have historically exploited security holes in Adobe Systems, Windows and Internet Explorer in cyberattacks, last year, Java was used in the majority of attacks. Last April, hackers exploited a Java vulnerability to infect more than half a million Apple computers with a vicious form of malware in what was the largest-scale attack on the OS X operating system to date. The exploit was particularly disconcerting because it let attackers download a malicious program onto its victims’ machines without prompting. Users did not even have to click on a malicious link for their computers to be infected. The program simply downloaded itself.
The current loophole affects Apple’s Mac OS X operating system, but also Microsoft Windows and Linux platforms. Apple no longer ships its machines with Java enabled by default, and moved quickly after the alert to disable the software remotely on machines where it had already been installed. Those who do not own Macs were left to manually disable Java software themselves.
To disable Java on a Windows PC, go to the computer’s control panel. Open the Java icon, click on the security panel and uncheck the box for “enable Java content in the browser.” Oracle has more detailed instructions on its Java Web site.