January 14, 2013
New Patch Released For Java Exploit
Michael Harper for redOrbit.com — Your Universe Online
Oracle releases Java updates, exploits are found within said update, experts urge us all to disable Java, and Oracle releases even more Java updates, and the world keeps spinning ℠round.
This cycle has become something of the new normal as hackers continue to use the platform as an entrance point into innocent users´ computers. As it turns out, when the American government issues a warning about your product, it´s easy to get a fix out the door quite quickly.
Today, Oracle has begun the cycle once more, making good on their promise to release a patch for the latest Java hole.
Java had a particularly bad year in 2012, as several exploits using Java were found, leading many experts to encourage users to simply disable it. Java began 2013 with yet another exploit which was added to a duo of popular “toolkits” used by cyber-criminals to spread malware and enlist machines into a botnet.
The inclusion of this security exploit in these toolkits meant that the exploit could potentially be very widespread and, therefore, affect hundreds of millions of Mac and PC owners. This led many security experts last week to make one more plea to all users to simply err on the side of caution and disable Java altogether on their machines.
The latest exploit had become so dangerous even the US Department of Homeland Security issued a report asking people to disable the software, likely for fear of national attack.
The latest patch from Oracle not only fixes this recent exploit, but it also bumps the default security setting to “high”; An added precaution for those who will insist on using Java into the future.
“This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation,” reads Oracle´s explanation of their latest fix.
Any users who decide to rely on this latest fix who had also disabled Java to protect themselves will have to re-enable Java once more in the Control Panel for this new patch to take effect.
A security patch and a slightly upgraded default security setting might not be enough for some security experts to fully trust Java once more.
Speaking to Reuters, Adam Gowdiak with Poland´s Security Explorations gave one of the more succinct quotes when defining this latest found and round with Java.
"We don't dare to tell users that it's safe to enable Java again,” explained Gowdiak.
Given their recent history, it´s probably best to follow Gowdiak´s advice and continue to steer clear from Java. After all, if you´ve had it disabled and haven´t noticed a change in the way you browse, then it´s likely you´ll be fine without it.
Though Oracle has once again issued a fix, it´s not too late to take action and disable Java on your machines. For help on disabling this software, visit this helpful site from Sophos.