Java still risky, even after security update: US

Java still risky, even after security update: US Zeebiz Bureau

Los Angeles: Trouble with Java software seems to continue. Despite a claim released by Oracle Corp that the problem has been fixed, the US Department of Homeland Security has warned that a security update of Java for Web browsers does not do enough to protect computers from attack.

According to reports, "Unless it is absolutely necessary to run Java in web browsers, disable it," the Department of Homeland Security's Computer Emergency Readiness Team said on Monday in a posting on its website.

The software maker Oracle had released an update to Java on Sunday, just days after the government issued its initial warning on the software, saying that bugs in the program were being exploited to commit identity theft and other crimes.

Earlier, the US Department of Defense had issued an advisory to people to disable Java on systems that have it installed to avoid potential hacking.

A new Trojan horse called Mal/JavaJar-B has been found that exploits vulnerability in Oracle's Java 7 and affects even the latest version of the runtime (7u10).

The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it.

The exploit was under review at the National Vulnerability Database and was given an ID number CVE-2013-0422.

According to CNET, unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to 'permissions of certain Java classes, as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack.'

The malware was seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform.

With Agency Inputs