Warning: Java still vulnerable after patch
If you follow this blog you know that a critical vulnerability was discovered recently in Oracle's Java Runtime Environment that has been actively exploited in the wild ever since.
The vulnerability affected only Java running in a web browser, and my initial recommendation was to turn off Java in all web browsers, or to uninstall the software completely, to protect the computer system from exploits targeting the vulnerabilities.
Oracle pushed out a patch a few days ago that resolves the security issue In Java 7 Patch 6 and earlier. Polish-based security company Security Explorations however discovered a new vulnerability in Oracle's patched version that attackers can exploit to get out of the Java sandbox on vulnerable systems to execute code on the operating system.
The company has informed Oracle about the new vulnerability, and won't release public information or proof of concept code until Oracle addresses the issue. What's interesting in this regard is that the company claims to have submitted 29 Java 7 vulnerabilities to Oracle in April, of which two have been actively exploited by attackers in the last days.
What does this mean for Java users? If you do not need Java and are sure about it, your best bet is to uninstall it from your system. Your second best bet after that is to disable Java in all of your web browsers, or use a feature like click to play (Chrome click to play, Firefox click to play) or a security add-on like NoScript to block Java contents from being executed when you load a web page.
Most computer users do not need Java, especially not in the web browser. While there are great programs available that have been developed in Java, like RRSOwl, JDownloader or the popular game Minecraft, it is a technology that the majority of users do not need installed on their systems due to lack of programs or applications. If you are running a Java desktop program and want to keep using it, you may want to check out Java portable, a portable version of Java that is not adding itself to web browsers and only running when you launch the program.Advertisement