U.S. says Java still risky, even after security update
By Jim Finkle
(Reuters) - The U.S. Department of Homeland Security warned that a security update of Oracle Corp's Java software for Web browsers does not do enough to protect computers from attack, sticking to its previous advice that the program be disabled.
"Unless it is absolutely necessary to run Java in web browsers, disable it," the Department of Homeland Security's Computer Emergency Readiness Team said on Monday in a posting on its website.
The software maker released an update to Java on Sunday, just days after the government issued its initial warning on the software, saying that bugs in the program were being exploited to commit identity theft and other crimes.
Security experts have warned that PCs running Java in their browsers could be attacked by criminals seeking to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes.
The Java software platform, created in the mid-1990s, enables developers to write one set of code that will run on PCs running on Microsoft Corp's Windows, Apple Inc Macs and servers running on the Linux operating system.
Security experts say the bugs only affect one part of the platform - software that plugs into Internet browsers.
While some researchers have long complained the software was buggy, it started generating more public scrutiny last year after a security scare in August.
"It's not like Java got insecure all of a sudden. It's been insecure for years," said Charlie Miller, a computer engineer with Twitter who has previously worked as a security consultant to Fortune 500 firms and as an analyst with the National Security Agency. Continued...