Risky Java software: Oracle issues emergency fix to thwart hackers
Days after the US issued a security alert to millions of computer owners to temporarily disable Java, Oracle released an emergency fix to its product and urged it be made as soon as possible.
Software giant Oracle has released a security update for its widely used Java product, after the US Department of Homeland Security issued an alert warning millions of computer users of a high risk of cyberattack.
The department had encouraged computer users to disable Java, software that frequently runs in the background when computers are browsing the Internet. As of late last week, malicious software "kits" were available for criminals to use in exploiting the Java security gap.
"Due to the severity of these vulnerabilities ... Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible," the company said in announcing the fix.
To implement Oracle's fix, you can visit the Java update or Java download pages. On the update page, see the "update manually" link near the top. Following the instructions may require that you go to your computer's control panel and type "Java" in a search bar, to open a Java control panel. Then you can click a tab labeled "update."
Oracle accompanied its fix with another change: The updated version's default security setting is now "high" rather than "medium," so that users will be asked to sign off case by case on many Java activities. Users will be "prompted before any unsigned Java applet or Java Web Start application is run," Oracle said.
Even after Oracle's move, many experts on computer security say Java software remains vulnerable to hackers.
Hacker-response experts at the group CERT, based at Carnegie Mellon University, continue to view Java as high-risk software, even with the new patch installed.
"Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating" to the newly released Java 7 Update 11, a CERT vulnerability notice says. "This will help mitigate other Java vulnerabilities that may be discovered in the future."
A number of independent Web-security analysts are sounding similar notes of caution.