This is a follow-up to my diary on Friday, January 11.
Over the weekend Oracle, the company that distributes and maintains Java, released a patch to fix the Java vulnerability that was reported last week. The update to Java is called "Java 7 (Update 11)". Oracle's release statement for the update can be found here.
As of today, the Department of Homeland Security is still recommending that Java not be enabled in our browsers:
The U.S. Department of Homeland Security has reiterated its warning to Java users that the widely used Web plug-in still poses risks for Internet users, even after Oracle patched the software to prevent hackers from exploiting a zero-day vulnerability.In a statement to CBS, a Java security expert at Security Explorations says:
It comes as some security experts are warning that the new software -- Java 7 (Update 11), which was released on Sunday -- may not actually protect against hackers attempting to remotely execute code on user machines.
Although Java 7 Update 11 released by Oracle yesterday addresses the 0-day attack spotted in the wild, there are still unpatched security vulnerabilities that affect the most recent version of the software. Just to mention the bug #50 we reported to Oracle on 25-Sep-2012.The latest status on the Java issue from CERT can be found here. It contains the warning:
Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.In my last diary on this subject, there were a lot of excellent suggestions relating to browsers and plug-ins which may help mitigate this kind of attack. Firefox with the NoScript plugin and Chrome with the NotScript plugin were recommended. Maybe the more technical among us can assist those with less technical knowledge in assessing which of these options may be best for them, and how to make sure they are browsing safely.
Regardless of the browser you are using now, your system is at risk whether you are on a Windows, Mac, or Linux computer and the Java Plug-in is enabled in that browser (or email client if it supports a Java Plug-in like Thunderbird). Instructions on disabling Java can be found at this link.