Post-patch, US-CERT continues call to disable Java plug-in
"Those needing the Java plug-in on a daily basis might think about adopting some form of click-to-play technology that would allow for a flexible configuration of the conditions under which the plug-in is allowed to run in the browser," said Gowdiak.
Java 7, the version exploitable through the latest vulnerabilities, has an option that lets users completely disable the plug-in. Sunday's update also modified Java's security settings so that it now refuses to run unsigned applets without user approval.
Chou urged users to be cautious while browsing potentially-risky sites, although that may be difficult: Exploits are often hosted on legitimate websites that have been compromised by hackers.
Java has been increasingly targeted by attackers, in part because it's a cross-platform technology that can be exploited not only on Windows PCs, but also on Macs. According to the Russian antivirus vendor Kaspersky, more than half of all attacks in the third quarter of 2012 leveraged Java vulnerabilities. Microsoft said much the same more than a year ago.
Other companies' software has been similarly targeted in the past, notably Adobe's Reader, a factor in that firm's increased attention to security over the last few years. Oracle may need to do the same to prove that Java is secure enough to use.
"This is a wake-up call for [Oracle]," said Gowdiak, when asked whether the US-CERT recommendation had long-term implications for Java's survival and continued use.
"This isn't the demise of Java," cautioned Chou. "It won't be going away anytime soon, especially on the server side and for desktop applications. I have no idea if Oracle will be able to move Java onto a more secure path. [But] it takes time, even when the organization is serious."
Other security pros, though, were ready to give up on Java. In a tweet last week, Andrew Storms, director of security operations at nCircle Security, simply said, "Just uninstall Java."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts