Java update still has bugs, says expert
Oracle has released an emergency update to its widely used Java software for surfing the web, days after the US government urged PC users to disable the program because of a bug it said made computers vulnerable to attack by hackers.
Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.
"We don't dare to tell users that it's safe to enable Java again," said Gowdiak, a researcher with Poland's Security Explorations.
An Oracle spokeswoman declined to comment on Gowdiak's analysis.
Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.
The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java.
It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.
Security experts have been scrutinising the safety of Java since a similar security scare in August, which prompted some of them to advise using the software only on an as-needed basis.
http://www.stuff.co.nz/technology/digital-living/8175388/Java-update-still-has-bugs-says-expert
https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
Oracle is switching Java security settings to “high” by default. The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed.
