On Sunday, Oracle pushed an “unscheduled” patch to fix a security hole in Java that had prompted the U.S. Department of Homeland Security to take the unprecedented step of advising all Internet users to disable browser-side Java. The hole was already being exploited in the wild when white hats brought it to the public’s attention last week, mainly being used to install “ransomware.”
Despite Oracle’s assurances that it’s safe for surfers to go back in the water, security experts remain uncertain about the safety of Java. On Information Week, writer Mathew J. Schwartz quotes at least one security expert who gives the security patch a thumbs up:
“Veteran Java bug hunter Adam Gowdiak, who heads Security Explorations, confirmed via email Monday that Oracle’s fix is sound. ‘The version released [Sunday] blocks the recent Java 0-day exploit code,’ he said.”
However, Reuters reports that the same security expert still has reservations about Java security due to other unresolved issues:
“Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.
“‘We don’t dare to tell users that it’s safe to enable Java again,’ said Gowdiak…”
Those who take the leap and re-enable Java will find they’ll now have to be more hands-on with its use. According to a security advisory published by Oracle, after installing the patch, Java will no longer always run quietly in the background with no input from the user:
“The default security level for Java applets and web start applications has been increased from ‘Medium’ to ‘High’. This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the ‘High’ setting the user is always warned before any unsigned application is run to prevent silent exploitation.”
Users might find this a little troublesome. Indeed, it seems to be a way for Oracle to deny responsibility in the future and place blame on hapless users who click through.
Many Internet writers are suggesting that users permanently refrain from re-enabling Java. Writing on Forbes website, Andy Greenberg points out that Apple disables the Java plugin by default in OSX, then adds:
“Java in many ways goes against all the security trends that have made browsers harder to exploit in recent years. It still requires manual updates, despite several browsers’ moves to automatically download and install new versions of themselves. And despite modern browsers’ attempts to prevent websites from gaining access to a PC beyond a limited ‘sandbox,’ Java can in many cases allow attackers to escape those restrictions, access the full hard disk and making network connections with remote servers. ‘The attack surface is so big,’ Kandek says. ‘In many ways, you don’t want Java to be able to do all the things that it does anymore.’”
Over at Slate, writer Will Oremus also weights in on the side of those urging users to dump the Java browser plugin permanently:
“So while many media reports will direct you to the Oracle website to promptly install Java 7 update 11, there remains a far better option. Unless you’re one of the few Web users who regularly uses an important site that requires Java, take the advice of security experts like Adam Gowdiak of Security Explorations and H.D. Moore of Rapid7 and just disable it in your browser already.”
On my computers I’ve long had Java disabled on all browsers and I hardly know it isn’t there. What I do know is that by not having Java enabled, there’s one less security issue to worry me.