Post-patch, US-CERT continues call to disable Java plug-in
"Those needing the Java plug-in on a daily basis might think about adopting some form of click-to-play technology that would allow for a flexible configuration of the conditions under which the plug-in is allowed to run in the browser," said Gowdiak.
Java 7, the version exploitable through the latest vulnerabilities, has an option that lets users completely disable the plug-in. Sunday's update also modified Java's security settings so that it now refuses to run unsigned applets without user approval.
Chou urged users to be cautious while browsing potentially-risky sites, although that may be difficult: Exploits are often hosted on legitimate websites that have been compromised by hackers.
Java has been increasingly targeted by attackers, in part because it's a cross-platform technology that can be exploited not only on Windows PCs, but also on Macs. According to the Russian antivirus vendor Kaspersky, more than half of all attacks in the third quarter of 2012 leveraged Java vulnerabilities. Microsoft said much the same more than a year ago.
Other companies' software has been similarly targeted in the past, notably Adobe's Reader, a factor in that firm's increased attention to security over the last few years. Oracle may need to do the same to prove that Java is secure enough to use.
"This is a wake-up call for [Oracle]," said Gowdiak, when asked whether the US-CERT recommendation had long-term implications for Java's survival and continued use.
"This isn't the demise of Java," cautioned Chou. "It won't be going away anytime soon, especially on the server side and for desktop applications. I have no idea if Oracle will be able to move Java onto a more secure path. [But] it takes time, even when the organization is serious."
Other security pros, though, were ready to give up on Java. In a tweet last week, Andrew Storms, director of security operations at nCircle Security, simply said, "Just uninstall Java."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts