ID: IRCNE2013011734
Date: 2013-01-15
According to "cnet", Despite an emergency software update issued yesterday by Oracle, the U.S. Department of Homeland Security is still advising computer users to disable Java on their Web browsers, fearing that an unpatched vulnerability remains.
Oracle released a software update on Sunday to address a critical vulnerability in Oracle's Java 7 after the DHS' Computer Emergency Readiness Team issued an advisory last week recommending users disable the cross-platform plugin on systems where it was installed. The flaw could allow a remote, unauthenticated attacker to execute arbitrary code when a vulnerable computer visits a Web site that hosts malicious code designed to take advantage of the hole.
Oracle said in an advisory yesterday that it "strongly" recommended users update their Java software to repair the vulnerability. But the DHS is still worried that further, unknown flaws may exist in Java.
"Unless it is absolutely necessary to run Java in Web browsers, disable it as described below, even after updating to 7u11," CERT said in an updated note today that included instructions for disabling the plugin. "This will help mitigate other Java vulnerabilities that may be discovered in the future."
DHS cited security company Immunity as reporting that Oracle's update addressed only one vulnerability and that another still existed.
Related Link:
New malware exploiting Java 7 in Windows and Unix systems
US-CERT: Disable Java in browsers because of exploit
Java security fix coming shortly
Oracle pushes out Java patches as zero-day vulnerabilities exposed
- 2