Java’s security flaws prompt warnings to disable the software

by Steve Johnson, San Jose Mercury News

Millions of computer users were advised Friday to temporarily disable Oracle’s Java software because of security weaknesses that make their machines vulnerable to everything from virus-infected websites to "ransomeware," which often locks users out of their computers until they pay the perpetrators.

Oracle said it will issue a patch Tuesday that contains "86 new security vulnerability fixes." It added that "due to the threat posed by a successful attack, Oracle strongly recommends" that customers update Java on their computers with the patch as soon as possible.

Java makes it easy for software programs to run on most computers and websites, and it is widely used throughout the world.

The Department of Homeland Security advised people to disable Java in Web browsers, presumably until Oracle is able to correct the problem.

Instructions from Oracle on how to disable Java can be found at:

www.java.com/en/download/help/disable_browser.xml

However, some security bloggers have warned that disabling Java can be complicated.

Apple disabled newer versions of Java from its personal computers Thursday night, but will let its customers use the software again if they upload Oracle’s fixes, according to a knowledgeable source.

In addition, Mountain View-based Mozilla said in a blog post that it has begun blocking Java on its Firefox browser unless someone clicks on a feature to activate the software. The click-to-play feature "allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site," the blog said.

The Department of Homeland Security noted that "reports indicate this vulnerability is being actively exploited" by cybercrooks, who could use the flaw to lure computer users to virus-infected websites. Some crooks already are selling "exploit kits" to other crooks to take advantage of Java’s problems, said Liam Murchu, a researcher with Mountain View security firm Symantec.

He said one common scam that could be exploited with the Java flaw is to shut down a user’s computer with a ransomeware virus and then demand money to unlock the machine. Another, he said, is to send a user an official-looking message saying their computer is infected and then dupe them into paying for a phony anti-virus product that doesn’t work.

Murchu said Symantec has determined that its Norton anti-virus software can block current versions of malware designed to take advantage of the Java vulnerabilities. So if a person has Norton installed on their computer, he said, "theoretically they shouldn’t need to disable Java."

However, he said, crooks may issue new types of malware that might temporarily evade Symantec’s software. "So if you really wanted to be safe," he suggested disabling Java until it can be updated with Oracle’s patch.

Murchu added that shutting off Java shouldn’t cause huge problems for most people, unless they need to access a website that requires the Oracle software, such as some payroll-related sites. In those instances, the user may need to turn on Java just long enough to access that site and then turn it off until the patch can be issued.

"Unfortunately, turning it on and off for most people is cumbersome," Murchu said. And while it may be unlikely a computer would be infected during the brief time it’s running Java, he added, "you basically never know when you’re going to be hit."

 January 14 Update: Java flaw still worries some experts, despite fix