Java 7 patch released, experts say may contain flaws
Updated 2:14 p.m. ET
Oracle released a patch for Java 7 on Sunday to address vulnerability in the software that hackers are exploiting.
The Department of Homeland Security (DHS)last Thursday advisedusers to disable Java to protect their computers from potential attacks from hackers. The government agency says that all versions of Java 7 through update 10 are affected, and that web browsers using the Java 7 plug-in are at high risk.
- U.S. tells computer users to disable Java software
- New malware exploiting Java 7 in Windows, Unix systems
Java is a widely used technical language that allows computer programmers to write a wide variety of Internet applications and other software programs that can run on just about any computer's operating system.
DHS reported that hackers could use entice potential victims with links to websites that host a malicious Java applet or breach a legitimate website and upload a malicious Java applet.
Oracle addressed the security threat by releasing Java SE 7 update 11. The company provides instructions on how to update the software patch on its website.
Although it appears that the software vulnerability has been fixed, there may still be bugs in the software.
Reuters reports that Adam Gowdiak, Java security expert at Security Explorations, says Oracle's update leaves "several critical security flaws" unfixed.
"We don't dare to tell users that it's safe to enable Java again," Gowdiak told Reuters.
In a statement given to CBS News, Security Exploration elaborated on the possible security flaw.
Although Java 7 Update 11 released by Oracle yesterday addresses the 0-day attack spotted in the wild, there are still unpatched security vulnerabilities that affect the most recent version of the software. Just to mention the bug #50 we reported to Oracle on 25-Sep-2012.
That doesn't necessarily mean users should skip the software update. Kurt Baumgartner, senior security researcher at Kaspersky Lab, tells CBSNews.com that it appears that Oracle fixed the issue at hand, but there are always going to be flaws in software.
"No one is going to guarantee 100 percent on any issue, but they are taking care of the issue at hand," Baumgartner said, adding that it's unnecessary, and to a certain extent unrealistic, for all users to disable Java.
Last year Kaspersky Labs found that 50 percent of all cyber attacks last year using software bugs were done by exploiting a hole in Java. Baumgartner posits that one of the security risks is that Oracle may know about a software vulnerability, but may not release a patch in time to protect users.
Baumgartner suggests people use a comprehensive security suite -- which has more features than an anti-virus software -- that offers "automatic exploits prevention."
"You don't need to disable Java," Baumgartner said. "You need a security solution that works properly."
Whether using security software or basic safety measures, experts agree that people should take precaution when using the Internet.
"Users that must use Java Plugin in the browser on a daily basis should limit its use to trusted hosts only," a spokesperson for Security Exploration told CBS News. "They should also take extreme precaution whenever a warning window appears that asks for permission to run Java application in their system."
Oracle did not immediately respond to CBSNews.com's request for comment.
