Oracle updates Java, security experts say bugs remain
By Jim Finkle
BOSTON (Reuters) - Oracle Corp released an emergency update to its Java software for surfing the Web on Sunday, but security experts said the update fails to protect PCs from attack by hackers intent on committing cyber crimes.
The software maker released the update just days after the U.S. Department of Homeland Security urged PC users to disable the program because of bugs in the software that were being exploited to commit identity theft and other crimes.
Oracle's failure to quickly secure the software means that PCs running Java in their browsers remain vulnerable to attack by criminals seeking to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes.
Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.
"We don't dare to tell users that it's safe to enable Java again," said Gowdiak.
Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology for critical business purposes.
HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.
"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," Moore said. Continued...