Homeland Security still advises disabling Java, even after update

Despite an emergency software update issued yesterday by Oracle, the U.S. Department of Homeland Security is still advising computer users to disable Java on their Web browsers, fearing that an unpatched vulnerability remains.

Oracle released a software update on Sunday to address a critical vulnerability in Oracle's Java 7 after the DHS' Computer Emergency Readiness Team issued an advisory last week recommending users disable the cross-platform plugin on systems where it was installed. The flaw could allow a remote, unauthenticated attacker to execute arbitrary code when a vulnerable computer visits a Web site that hosts malicious code designed to take advantage of the hole.

Oracle said in an advisory yesterday that it "strongly" recommended users update their Java software to repair the vulnerability. But the DHS is still worried that further, unknown flaws may exist in Java.

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," DHS said in an updated alert published on the CERT Web site. "To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available."

Security company Immunity reported that Oracle's update addressed only one vulnerability and that another still existed.

"The patch did stop the exploit, fixing one of its components," Immunity said in a blog post today. "But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."

CNET has contacted Oracle for comment and will update this report when we learn more.