Want CNET to notify you of price drops and the latest stories?

Homeland Security still advises disabling Java, even after update

DHS says an unpatched vulnerability may still put Web browsers using the plugin at risk of remote attack.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Despite an emergency software update issued yesterday by Oracle, the U.S. Department of Homeland Security is still advising computer users to disable Java on their Web browsers, fearing that an unpatched vulnerability remains.

Oracle released a software update on Sunday to address a critical vulnerability in Oracle's Java 7 after the DHS' Computer Emergency Readiness Team issued an advisory last week recommending users disable the cross-platform plugin on systems where it was installed. The flaw could allow a remote, unauthenticated attacker to execute arbitrary code when a vulnerable computer visits a Web site that hosts malicious code designed to take advantage of the hole.

Oracle said in an advisory yesterday that it "strongly" recommended users update their Java software to repair the vulnerability. But the DHS is still worried that further, unknown flaws may exist in Java.

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," DHS said in an updated alert published on the CERT Web site. "To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available."

Security company Immunity reported that Oracle's update addressed only one vulnerability and that another still existed.

"The patch did stop the exploit, fixing one of its components," Immunity said in a blog post today. "But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."

CNET has contacted Oracle for comment and will update this report when we learn more.