Oracle Patches Java Vulnerability
Oracle says it has repaired a security flaw in its Java software that inspired a rare call from the Department of Homeland Security, advising consumers to disable the software entirely.
On Sunday afternoon, Oracle released a patch for the critical vulnerability, which could be exploited to install and execute malicious code on unguarded systems. And not a moment too soon. By the end of last week, security researchers had already spotted malware designed to exploit it in the wild. Some theorized the flaw potentially put more than 850 million PCs at risk.
In a bulletin, Oracle said that the patch not only repairs the vulnerability, but switches Java’s security setting to “high” by default. “The default security level for Java applets and web start applications has been increased from ‘medium’ to ‘high,’” Oracle said in an advisory today. “… With the ‘high’ setting the user is always warned before any unsigned application is run to prevent silent exploitation.”
A thoughtful additional precaution — though one you’d think it would have occurred to Oracle to add earlier on. But are these measures sufficient to protect consumers who use Java? Java security expert Adam Gowdiak isn’t so sure. “We don’t dare to tell users that it’s safe to enable Java again,” Gowdiak told Reuters. H.D. Moore, chief security officer at the security firm Rapid7, took an even dimmer view of the patch and the software itself. “Users should simply disable it,” he told Forbes. “The amount of utility it offers is so much smaller than the risk it creates for users. It’s much safer to leave it off.”