Post-patch, US-CERT continues call to disable Java plug-in

It's justified, say security experts, who cite known but unpatched bugs

1 2 Page 2
Page 2 of 2

"Those needing the Java plug-in on a daily basis might think about adopting some form of click-to-play technology that would allow for a flexible configuration of the conditions under which the plug-in is allowed to run in the browser," said Gowdiak.

Java 7, the version exploitable through the latest vulnerabilities, has an option that lets users completely disable the plug-in. Sunday's update also modified Java's security settings so that it now refuses to run unsigned applets without user approval.

Chou urged users to be cautious while browsing potentially-risky sites, although that may be difficult: Exploits are often hosted on legitimate websites that have been compromised by hackers.

Java has been increasingly targeted by attackers, in part because it's a cross-platform technology that can be exploited not only on Windows PCs, but also on Macs. According to the Russian antivirus vendor Kaspersky, more than half of all attacks in the third quarter of 2012 leveraged Java vulnerabilities. Microsoft said much the same more than a year ago.

Other companies' software has been similarly targeted in the past, notably Adobe's Reader, a factor in that firm's increased attention to security over the last few years. Oracle may need to do the same to prove that Java is secure enough to use.

"This is a wake-up call for [Oracle]," said Gowdiak, when asked whether the US-CERT recommendation had long-term implications for Java's survival and continued use.

"This isn't the demise of Java," cautioned Chou. "It won't be going away anytime soon, especially on the server side and for desktop applications. I have no idea if Oracle will be able to move Java onto a more secure path. [But] it takes time, even when the organization is serious."

Other security pros, though, were ready to give up on Java. In a tweet last week, Andrew Storms, director of security operations at nCircle Security, simply said, "Just uninstall Java."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon