Security experts say Java bugs remain

2013-01-14 07:30
Oracle has released an emergency update to its Java software for surfing the web, but security experts said the update fails to protect PCs from attack. (Duncan Alfreds, News24)

Oracle has released an emergency update to its Java software for surfing the web, but security experts said the update fails to protect PCs from attack. (Duncan Alfreds, News24)

Multimedia   ·   User Galleries   ·   News in Pictures Send us your pictures  ·  Send us your stories

Boston - Oracle released an emergency update to its Java software for surfing the web on Sunday, but security experts said the update fails to protect PCs from attack by hackers intent on committing cyber crimes.

The software maker released the update just days after the US Department of Homeland Security urged PC users to disable the program because of bugs in the software that were being exploited to commit identity theft and other crimes.

Oracle's failure to quickly secure the software means that PCs running Java in their browsers remain vulnerable to attack by criminals seeking to steal credit card numbers, banking credentials, passwords and commit other types of computer crimes.

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.

Security vulnerabilities


Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology for critical business purposes.

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the internet.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.

An Oracle spokesperson declined to comment.

Oracle said on its security blog on Sunday that its update fixed two vulnerabilities in the version of Java 7 for web browsers.

It said that it also switched Java's security settings to "high" by default, making it more difficult for suspicious programs to run on a personal computer without the knowledge of the user.

Java is a computer language that enables programmers to write software utilising just one set of code that will run on virtually any type of computer, including ones that use Microsoft's Windows, Apple's OS X and Linux, an operating system widely employed by corporations.

One version is installed in internet browsers to access web content. Separate versions are installed directly on PCs, server computers and other devices including phones, webcams, and Blu-ray players.

Target

The Department of Homeland Security and computer security experts said on Thursday that hackers figured out how to exploit the bug in a version of Java used with internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making infected computers part of an ad-hoc networks that used to attack websites.

Oracle said that the flaws only affect Java 7, the program's most-recent version, and versions of Java software designed to run on browsers.

Java is so widely used that the software has become a prime target for hackers. In 2012, Java surpassed Adobe Systems' Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

Java was responsible for 50% of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28% of all incidents. Microsoft Windows and Internet Explorer were involved in about 3% of incidents, according to the survey.

The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java.

It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.

Security experts have been scrutinising the safety of Java since a similar security scare in August, which prompted some of them to advise using the software only on an as-needed basis.

Meanwhile, Microsoft said on Sunday that would it release an update on Monday to fix a previously disclosed flaw in Internet Explorer versions 6, 7 and 8 that made PCs vulnerable to attacks in which hackers can gain remote control of the machines. Microsoft previously released a temporary fix to prevent such attacks.
Read more on:    cybercrime
NEXT ON NEWS24X
SHARE:

Read News24’s Comments Policy

24.com publishes all comments posted on articles provided that they adhere to our Comments Policy. Should you wish to report a comment for editorial review, please do so by clicking the 'Report Comment' button to the right of each comment.

Comment on this story
1 comment
Add your comment
Comment 0 characters remaining
 

Inside News24

 
/News
 

10 facts about swimming you didn't know

This will make you want to jump right into the pool.

 
 

Where were you when you last felt alive?

Snors with a cause - creating awareness of male health
Inspiring: Rock climbing with just one leg
Watch! Skateboarders racing cyclists
Exciting new zipline for Cape Town!

Jobs in Cape Town [change area]

Property [change area]

Travel - Look, Book, Go!

Magical Massinga

Spend 5 nights at the gorgeous Massinga Beach Lodge in Mozambique and only pay for 4 from R13 220 per person sharing. Includes return flights, accommodation, transfers and romantic turndown. Book now!

Kalahari.com - shop online today

Save up to R2100 on electronics! – As seen in the catalogue

Wishing for tech gadgets this festive? Save up to R2100 on hot tech products at kalahari.com. While stocks last. Shop now!

TV Series – 2 for R299

Loads of hot titles to choose from. Shop now!

Hot offer: Up to 50% off irons

Save up to 50% on all Philips irons. While stocks last. Shop now!

Seen something you like in our catalogue?

Find the perfect gift and save up to R5000 – As seen on the catalogue. Hurry and shop now!

Toys 4 for the price of 3

Buy 4 toys and get the cheapest FREE! Offer valid while stocks last. Shop now!

OLX Free Classifieds [change area]

Samsung Galaxy s4

Mobile, Cell Phones in South Africa, Western Cape, Cape Town. Date October 24

Best bargain in big bay

Real Estate, Houses - Apartments for Sale in South Africa, Western Cape, Cape Town. Date October 25

VW Golf 6, 1.6 Trendline (Excellent condition)

Vehicles, Cars in South Africa, Western Cape, Cape Town. Date October 25

Horoscopes
Aquarius
Aquarius

Life can feel quite full on and overwhelming at the moment as the pressure of expectations and obligations start to pile up. You...read more

There are new stories on the homepage. Click here to see them.
 
English
Afrikaans
isiZulu

Hello 

Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.


Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire 24.com network.

Settings

Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.








Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.