CDC director endorses Pfizer booster for frontline workers iPhone 13 is on sale: Best deals China: All cryptocurrency transactions illegal Elon Musk and Grimes 'semi-separated' PS5 restock tracker Google Doodle honors Christopher Reeve

Homeland Security still advises disabling Java, even after update

DHS says an unpatched vulnerability may still put Web browsers using the plugin at risk of remote attack.

Despite an emergency software update issued yesterday by Oracle, the U.S. Department of Homeland Security is still advising computer users to disable Java on their Web browsers, fearing that an unpatched vulnerability remains.

Oracle released a software update on Sunday to address a critical vulnerability in Oracle's Java 7 after the DHS' Computer Emergency Readiness Team issued an advisory last week recommending users disable the cross-platform plugin on systems where it was installed. The flaw could allow a remote, unauthenticated attacker to execute arbitrary code when a vulnerable computer visits a Web site that hosts malicious code designed to take advantage of the hole.

Oracle said in an advisory yesterday that it "strongly" recommended users update their Java software to repair the vulnerability. But the DHS is still worried that further, unknown flaws may exist in Java.

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," DHS said in an updated alert published on the CERT Web site. "To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available."

Security company Immunity reported that Oracle's update addressed only one vulnerability and that another still existed.

"The patch did stop the exploit, fixing one of its components," Immunity said in a blog post today. "But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."

CNET has contacted Oracle for comment and will update this report when we learn more.