You’ve probably heard that Java has a significant flaw, a “zero-day vulnerability,” that can allow hackers to root around in your computer. You’ve probably also heard that Oracle released a patch on Sunday. Case closed.
Not so fast, punk.
The Department of Homeland security says slam shut your Java trunk, disable it, tear it out of your dashboard and toss it into a dumpster behind an Abby’s Pizza, take it out into the desert and bury it in a shallow grave, or words to that effect.
Or, as the DHS said in its scandalously-titled screed, “Vulnerability Note VU#625617,” it doesn’t matter if you’ve installed the update, because only one of the two vulnerabilities discovered in Java are actually eliminated. Yes, Oracle released a patch on Sunday to presumably fix this vulnerability. But the DHS begs to differ.
“Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains...Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.”
Given the wide penetration of Java, which is used on PCs and Apple machines as well as on mobile devices, as many as 100 million machines have been estimated at risk.
Perhaps the recent discovery of the Red October computer spying campaign has made the DHS even more sensitive to the possibilities of exploitation.
According to MacRumors, Apple has agreed with the Department of Homeland Security’s assessment and put Java off-limits for its OS X until further notice.
In case you’re not sure whether Java is currently running on your PC, or how to disable it in your browser, Gizmodo has released a handy step-by-step guide.
UPDATE: The Department of Homeland security released the following statement: “The U.S. Computer Emergency Response Team (US-CERT) estimates that it may take some time for researchers to digest the latest patch that’s been distributed to address the vulnerability. US-CERT will continue to monitor the situation and issue updates as they become available.”
DHS also clarified that the revelation of "Red October" was not a factor in the recommendation to disable Java.
Photo via Bigstockphoto.com