Java still not being used by DHS

An article by paradise    Comments Off on Java still not being used by DHS

The Department of Homeland Security says despite some fixes to Java, it continues to recommend users disable the program in their Web browsers, because it remains vulnerable to attacks that could result in identity theft and other cyber crimes.

The Computer Emergency Readiness Team, part of the DHS, first took the unusual step last week of issuing an alert, warning users to disable Java, saying the program could be manipulated by criminals to trick users into visiting malicious websites that could infect their computers with malware, or allow criminals to steal personal financial data on users’ PCs.

Oracle, maker of Java said on its security blog Sunday that it updated Java 7 for Web browers, fixing two vulnerabilities. The company also switched Java’s security settings to “high” by default, which should make it more difficult for malware to run without the user knowing it.

Even so, security experts have since warned that several critical security flaws remain.

“All versions of Java 7 through update 10 are affected. Web browsers using the Java 7 plug-in are at high risk,” said the Computer Emergency Readiness Team on its website:

This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

For information on how to disable Java, you can learn more here.

Java is a computer language that lets software be written using one set of code that can run on any computer, no matter the operating system. “It s required by some Web sites that use it to run interactive games and applications,” writes security expert Brian Krebs on his Krebs on Security blog.

“Java is not as widely used as it once was, and most users probably can get by without having the program installed at all. I have long recommended that users remove Java unless they have a specific use for it. If you discover later that you really do need Java, it is trivial and free to reinstall it.”

Sophos Security notes that understandably, some users mistakenly think turning off Java also turns off JavaScript, which controls the look and feel of Web pages.

“Most modern websites make heavy use of JavaScript, so these people are worried that sites such as Facebook, Twitter … will be pretty much useless if they follow our ‘turn Java off’ advice,” writes Paul Ducklin of Sophos Security on the company’s blog Wednesday.

“Turning off Java will not turn off JavaScript,” he says.