Java 7 patch released, experts say may contain flaws

Updated 2:14 p.m. ET

Oracle released a patch for Java 7 on Sunday to address vulnerability in the software that hackers are exploiting.

The Department of Homeland Security (DHS) last Thursday advisedusers to disable Java to protect their computers from potential attacks from hackers. The government agency says that all versions of Java 7 through update 10 are affected, and that web browsers using the Java 7 plug-in are at high risk.

Java is a widely used technical language that allows computer programmers to write a wide variety of Internet applications and other software programs that can run on just about any computer's operating system.

DHS reported that hackers could use entice potential victims with links to websites that host a malicious Java applet or breach a legitimate website and upload a malicious Java applet.

Oracle addressed the security threat by releasing Java SE 7 update 11. The company provides instructions on how to update the software patch on its website.

Although it appears that the software vulnerability has been fixed, there may still be bugs in the software.

Reuters reports that Adam Gowdiak, Java security expert at Security Explorations, says Oracle's update leaves "several critical security flaws" unfixed.

"We don't dare to tell users that it's safe to enable Java again," Gowdiak told Reuters.

In a statement given to CBS News, Security Exploration elaborated on the possible security flaw.

Although Java 7 Update 11 released by Oracle yesterday addresses the 0-day attack spotted in the wild, there are still unpatched security vulnerabilities that affect the most recent version of the software. Just to mention the bug #50 we reported to Oracle on 25-Sep-2012.

That doesn't necessarily mean users should skip the software update. Kurt Baumgartner, senior security researcher at Kaspersky Lab, tells CBSNews.com that it appears that Oracle fixed the issue at hand, but there are always going to be flaws in software.

"No one is going to guarantee 100 percent on any issue, but they are taking care of the issue at hand," Baumgartner said, adding that it's unnecessary, and to a certain extent unrealistic, for all users to disable Java.

Last year Kaspersky Labs found that 50 percent of all cyber attacks last year using software bugs were done by exploiting a hole in Java. Baumgartner posits that one of the security risks is that Oracle may know about a software vulnerability, but may not release a patch in time to protect users.

Baumgartner suggests people use a comprehensive security suite -- which has more features than an anti-virus software -- that offers "automatic exploits prevention."

"You don't need to disable Java," Baumgartner said. "You need a security solution that works properly."

Whether using security software or basic safety measures, experts agree that people should take precaution when using the Internet.

"Users that must use Java Plugin in the browser on a daily basis should limit its use to trusted hosts only," a spokesperson for Security Exploration told CBS News. "They should also take extreme precaution whenever a warning window appears that asks for permission to run Java application in their system."

Oracle did not immediately respond to CBSNews.com's request for comment.

[blairy3334]

There's an easy way to disable Java immediately using Group Policy or your own management tool. We have a blog and video to show you exactly how to do it:

http://www.policypak.com/blog/entry/exactly-how-are-you-going-to-turn-off-java-now-in-your-enterprise.html

[KansasCity-2012]

Thanks Chenda Ngak for the update.

Java vulnerabilities have deep and far reaching implications and should be taken seriously, since they can maintain surveillance on any internet browser's gatekeeper to recognize when the "gate" is open and exploit the opportunity rather efficiently. I can foresee a complex of patches and eventually a new browser revision designed to trap activities not initiated by a user input or an active application called up without proper privileges and sequences that include an encrypted tunnel through the operating system application interface and the browser.

[candypants123]

It's best if you always expect your computer to hacked. Honestly, who out there thinks they are smarter than a hacker?

[hypnotoad72]

And how does this really differ from Windows, OS X, Linux, Flash, and pretty much any other operating system in existence? Patches can bandaid a flaw, but could accidentally make holes for others, and it's usually an amalgamation of flaws that hackers exploit. One could be here all day going into dozens of details, since just disabling Java won't fix everything else... and, best of all, there are some who are still sold on the idea that Apple's devices are magically immune to everything (and that's the first time the word "magical" has been used even remotely appropriately, by anyone, about their overpriced stuff)...

There are sites that can jailbreak an iPhone by going to a website and clicking a button. It'd be too easy to set up a website to do the samet thing without the need to click a button. And since unjailbroken iphones have been hacked in the past, as well as iTunes (look it up, folks, articles aplenty exist), anyone saying Apple is better will be in for a shock one day... and you don't need PWN2OWN to say anything either...

And since many companies use Java for cross-platform connectivity, just turning it off won't work for everyone. Home users that don't do content creation won't know the difference, but the world doesn't (and shouldn't) always revolve around them, especially when they'd rather research who makes a better American Idol than how real things work...