Those who thought it was safe to re-up Java on their browsers will need to go back and turn it off again.
If you listen to us, after you do you’ll never turn it back on. Browser side Java has been made pretty much obsolete by newer technologies, which means you don’t need it, especially since it’s proving to be about as easy to keep secure as ActiveX, sandbox or no. Here at FOSS Force, we haven’t had it enabled on our browsers for years, with no noticeable problems when we surf the web.
You may remember that back on January 10th it was announced that Java had a security vulnerability that was already being exploited in the wild. This security hole was serious enough to prompt the U.S. Department of Homeland Security to suggest that browser side Java be turned-off on all computers.
Since then, Oracle’s been busily trying to get it right, but having little luck. On January 13th, the company pushed an unscheduled patch to fix the most pressing security hole, but the effort failed to satisfy security experts. To make matters worse, about that time, new security problems started to be found in Java.
On February 1st, Oracle released patches addressing a total of 50 security problems, which were then bundled into Java SE 7 Update 15, released on February 19th. That was supposed to be the end of it. Guess what? It wasn’t.
Yesterday CSO Online reported that Security Explorations, the Polish security firm that discovered most of the other Java security holes, has found five new vulnerabilities in Java. This report comes only a week after the same company reported two other security flaws in the Java browser plugin.
According to CSO Online:
“The latest discovery came after Oracle rejected one of the bugs Security Explorations reported Feb. 25. ‘It made us look into Java SE 7 code and its docs once again, gathering counterargument material,’ Adam Gowdiak, chief executive of the company, said in a post on SecLists.org.”
The good news is none of these vulnerabilities can be used to cause much harm by themselves. The bad news–string them together using all five and it’s a black hat payday:
“Separately, the flaws do not pose a security problem, the company said. However, when linked together, they can enable someone to bypass the Java’s anti-exploit sandbox technology. Security Explorations said it had not seen the vulnerabilities exploited in the wild.”
Because of the Java security issues discovered earlier in the year, Oracle has vowed to release Java updates every two months instead of on a four month schedule as had been the case. The next scheduled update is on April 16. Until then, you’re free to play Java roulette, if you wish.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux