Post-patch, US-CERT continues call to disable Java plug-in
"Those needing the Java plug-in on a daily basis might think about adopting some form of click-to-play technology that would allow for a flexible configuration of the conditions under which the plug-in is allowed to run in the browser," said Gowdiak.
Java 7, the version exploitable through the latest vulnerabilities, has an option that lets users completely disable the plug-in. Sunday's update also modified Java's security settings so that it now refuses to run unsigned applets without user approval.
Chou urged users to be cautious while browsing potentially-risky sites, although that may be difficult: Exploits are often hosted on legitimate websites that have been compromised by hackers.
Java has been increasingly targeted by attackers, in part because it's a cross-platform technology that can be exploited not only on Windows PCs, but also on Macs. According to the Russian antivirus vendor Kaspersky, more than half of all attacks in the third quarter of 2012 leveraged Java vulnerabilities. Microsoft said much the same more than a year ago.
Other companies' software has been similarly targeted in the past, notably Adobe's Reader, a factor in that firm's increased attention to security over the last few years. Oracle may need to do the same to prove that Java is secure enough to use.
"This is a wake-up call for [Oracle]," said Gowdiak, when asked whether the US-CERT recommendation had long-term implications for Java's survival and continued use.
"This isn't the demise of Java," cautioned Chou. "It won't be going away anytime soon, especially on the server side and for desktop applications. I have no idea if Oracle will be able to move Java onto a more secure path. [But] it takes time, even when the organization is serious."
Other security pros, though, were ready to give up on Java. In a tweet last week, Andrew Storms, director of security operations at nCircle Security, simply said, "Just uninstall Java."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts