Risky Java software: Oracle issues emergency fix to thwart hackers
Page 2 of 2
"It’s nice that Oracle fixed this vulnerability so quickly," writes Internet security blogger Brian Krebs. But "it seems malware writers are constantly finding new zero-day vulnerabilities in Java."
A "zero-day" attack is one that exploits a vulnerability that has not been documented before, so defenders have had zero days to develop security patches.
"Most users who have Java installed can get by just fine without it," Mr. Krebs wrote Sunday, as Oracle unveiled its Java update. "If you need Java for a specific Web site, consider adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser ... with Java enabled to browse only the site(s) that require(s) it."
Some experts on personal-computer security say Java may need to be rewritten from the ground up. Bogdan Botezatu, a threat analyst at Bitdefender, a Romanian-based maker of antivirus software, made this case in an interview with PCWorld published Jan. 12. He said the problem with mature and widely used products like Java and those made by Adobe is that their code has been revised so many times by so many people over the years.
"These products have become so large and have been developed by so many programmers that the makers have most probably lost control over what's in the product," Mr. Botezatu told PCWorld.
The Department of Homeland Security's cyber division, called US-CERT (Computer Emergency Readiness Team) issued the alert about Java late last week. Information about how to disable Java or to limit the software's activity was posted over the weekend by the Monitor and a range of other publications.