Security experts say Java bugs remain

2013-01-14 07:30
Oracle has released an emergency update to its Java software for surfing the web, but security experts said the update fails to protect PCs from attack. (Duncan Alfreds, News24)

Oracle has released an emergency update to its Java software for surfing the web, but security experts said the update fails to protect PCs from attack. (Duncan Alfreds, News24)

Multimedia   ·   User Galleries   ·   News in Pictures Send us your pictures  ·  Send us your stories

Boston - Oracle released an emergency update to its Java software for surfing the web on Sunday, but security experts said the update fails to protect PCs from attack by hackers intent on committing cyber crimes.

The software maker released the update just days after the US Department of Homeland Security urged PC users to disable the program because of bugs in the software that were being exploited to commit identity theft and other crimes.

Oracle's failure to quickly secure the software means that PCs running Java in their browsers remain vulnerable to attack by criminals seeking to steal credit card numbers, banking credentials, passwords and commit other types of computer crimes.

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.

Security vulnerabilities


Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology for critical business purposes.

HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the internet.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said.

An Oracle spokesperson declined to comment.

Oracle said on its security blog on Sunday that its update fixed two vulnerabilities in the version of Java 7 for web browsers.

It said that it also switched Java's security settings to "high" by default, making it more difficult for suspicious programs to run on a personal computer without the knowledge of the user.

Java is a computer language that enables programmers to write software utilising just one set of code that will run on virtually any type of computer, including ones that use Microsoft's Windows, Apple's OS X and Linux, an operating system widely employed by corporations.

One version is installed in internet browsers to access web content. Separate versions are installed directly on PCs, server computers and other devices including phones, webcams, and Blu-ray players.

Target

The Department of Homeland Security and computer security experts said on Thursday that hackers figured out how to exploit the bug in a version of Java used with internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making infected computers part of an ad-hoc networks that used to attack websites.

Oracle said that the flaws only affect Java 7, the program's most-recent version, and versions of Java software designed to run on browsers.

Java is so widely used that the software has become a prime target for hackers. In 2012, Java surpassed Adobe Systems' Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

Java was responsible for 50% of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28% of all incidents. Microsoft Windows and Internet Explorer were involved in about 3% of incidents, according to the survey.

The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java.

It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.

Security experts have been scrutinising the safety of Java since a similar security scare in August, which prompted some of them to advise using the software only on an as-needed basis.

Meanwhile, Microsoft said on Sunday that would it release an update on Monday to fix a previously disclosed flaw in Internet Explorer versions 6, 7 and 8 that made PCs vulnerable to attacks in which hackers can gain remote control of the machines. Microsoft previously released a temporary fix to prevent such attacks.
Read more on:    cybercrime
NEXT ON NEWS24X
SHARE:

Read News24’s Comments Policy

24.com publishes all comments posted on articles provided that they adhere to our Comments Policy. Should you wish to report a comment for editorial review, please do so by clicking the 'Report Comment' button to the right of each comment.

Comment on this story
1 comment
Add your comment
Comment 0 characters remaining

Inside News24

 
/News

Jobs in Cape Town [change area]

Property [change area]

Travel - Look, Book, Go!

Kalahari.com - shop online today

40% off top appliances!

Save 40% on the top 10 appliances on kalahari.com. While stocks last. Shop now!

Save 20% on Camping gear!

Buy 4 camping items and save 20%. While stocks last. Shop now!

Fifty Shades of Grey!

This great read will captivate you from cover to cover and leave you itching for more. Get your copy now!

20% off braai items!

Save 20% when you buy 2 braai items. While stocks last. Shop now!

30% off Pampers!

Save 30% when you buy 3 or more selected pampers products. While stocks last. Shop now!

Horoscopes
Aquarius
Aquarius

You are on form and you may like an audience to share your ideas and concepts with. Drama and creativity flavour your...read more

There are new stories on the homepage. Click here to see them.
 
English
Afrikaans
isiZulu

Hello 

Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.


Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire 24.com network.

Settings

Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.




Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.