Oracle releases Java fix, but security concerns remain

Oracle has released Java 7 update 11, which addresses a Zero Day flaw that enables intruders to install malware on vulnerable systems.

Oracle released Java 7 update 11 (Java 7u11) on Sunday following a warning from the U.S. Computer Emergency Readiness Team (US-CERT) advising users to disable the software due to a serious and previously unknown security vulnerability. Even with the available fix, CERT, part of the Department of Homeland Security, is still advising users to disable Java on their systems unless running the software is "absolutely necessary."

[RELATED: Time to Give Java the Boot?]

The so-called Zero Day flaw was actively being used to secretly install malware on systems of unsuspecting victims and the exploit affected Windows, Mac, and Linux users, according to CERT's security bulletin. The vulnerability affects versions of Java 7, and does not apply to Java 6.

What Java 7u11 does

The biggest change  for users with the newest version of Java is that now all unsigned Java applets and Web start applications are click-to-run. This means you must explicitly authorize Java to run in your browser nearly every time you come across Java on the Web. Java is a cross-platform programming language often used online for Web content and applications such as games and interactive charts. Oracle's vulnerability fix affects only users running Java in their browsers, and does not apply to servers, desktop applications, or embedded Java apps.

Oracle is also calling on users to update their systems as soon as possible. "Due to the severity of these vulnerabilities," Oracle's security alert reads. "Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."

Oracle's latest Java snafu is prompting calls by some to completely rewrite Java from the ground up due to its popularity as a way to attack PCs. The latest Java vulnerability comes close to five months after Oracle released updates to Java for three major security holes in late August, two of which were actively being used by malicious hackers.

You can download the latest Java update from Oracle's Website.  If you'd like to follow CERT's advice and disable Java, Oracle has a step-by-step instruction guide for Windows users. If you need Java and can't turn it off, check out Computerworld's tutorial on how to be as safe as possible with Java.

How to disable Java

If you'd like to disable Java just in a specific browser, here's how to do it:

Chrome: type Chrome://plugins into the address bar and hit enter. Look for the Java plugin and click the "Disable" link.

Firefox: click on the orange Firefox button on the left and select "Add-ons." Then in the page that opens select "Plugins" from the left-hand side. Look for the Java platform plugin and click the disable button.

Internet Explorer: you cannot disable Java for Internet Explorer the same way you can for Chrome and Firefox. Instead, follow Oracle's step-by-step instruction guide to disable Java system-wide.

Tags browsersOraclejavasoftwareapplicationsWeb & communication software

Show Comments