Java update still vulnerable, warns DHS
In spite of the emergency software update issued on January 13th by Oracle, the United States Department of Homeland Security still advises computer users to disable Java on their web browsers, as the fear of unpatched vulnerability remains in the program. The DHS report, issued January 10th, detailed some vulnerability that could be exploited by entrepreneurial hackers and advised all web users to disable Java within their web browsers until a satisfactory patch was released. Since then, Oracle has scrambled to come up with a satisfactory patch with little success.
Last Tuesday, Roanoke College’s IT department took action to disable Java on classroom, campus office and lab computers. In the campus-wide email, it was highly recommended that students disable Java within their other browsers and on other computers, including laptops or personally owned computers. (If there are any questions/concerns with this process, it is highly recommended that you call the Helpdesk at 375-2225). Java is a plug-in to web browsers that allows certain functionality within web pages, so disabling it may cause some websites to not be fully functional.
According to the DHS website, the vulnerability can be exploited “by convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.” Also according to the DHS report, all versions of Java 7 through the update 10 are affected, with an especially high risk to web browsers using the Java 7 plug-in.
Java 7, released in 2011, has been a concern for security experts who say that the “special code” to take advantage of these vulnerabilities has been and is being sold on the black market through so-called “Web exploit packs” to malicious internet users who may have otherwise been amateurs at this type of exploitation.
Oracle has released two patches, the first to hastily address the flaw highlighted by the government and the other to try to patch a flaw that DHS said was “different but equally severe.” These patches also set Java’s default security level to “high,” which in theory will give users a prompt to decline malicious software before it is installed. Still, security experts caution users to simply turn it off, as these prompts can easily be mistaken for the legitimate Java prompts that appear on websites when Java is disabled. These prompts would allow users to simply turn it back on with a single click and could be exploited.
“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” DHS said Monday the 14th in an updated alert published on the website of its Computer Emergency Readiness Team. “To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available.”