Despite an emergency software update issued yesterday by Oracle, the U.S. Department of Homeland Security is still advising computer users to disable Java on their Web browsers, fearing that an unpatched vulnerability remains.
Oracle released a software update on Sunday to address a critical vulnerability in Oracle's Java 7 after the DHS' Computer Emergency Readiness Team issued an advisory last week recommending users disable the cross-platform plugin on systems where it was installed. The flaw could allow a remote, unauthenticated attacker to execute arbitrary code when a vulnerable computer visits a Web site that hosts malicious code designed to take advantage of the hole.
Oracle said in an advisory yesterday that it "strongly" recommended users update their Java software to repair the vulnerability. But the DHS is still worried that further, unknown flaws may exist in Java.
"Unless it is absolutely necessary to run Java in Web browsers, disable it as described below, even after updating to 7u11," CERT said in an updated note today that included instructions for disabling the plugin. "This will help mitigate other Java vulnerabilities that may be discovered in the future."
DHS cited security company Immunity as reporting that Oracle's update addressed only one vulnerability and that another still existed.
"The patch did stop the exploit, fixing one of its components," Immunity said in a blog post today. "But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."
CNET has contacted Oracle for comment and will update this report when we learn more.
Homeland Security still advises disabling Java, even after update
This article
Homeland Security still advises disabling Java, even after update
can be opened in url
http://newsmesosternum.blogspot.com/2013/01/homeland-security-still-advises.html
Homeland Security still advises disabling Java, even after update
