Java flaw still worries some experts, despite fix

By Steve Johnson San Jose Mercury News

Published: January 15, 2013 12:03 pm
This is an archived article that was published on sltrib.com in 2013, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.

Despite Oracle's emergency fix to patch a serious vulnerability in its widely used Java software, several security experts on Monday advised computer users to minimize using the product, because of fears more flaws will be discovered.

"This is definitely a temporary fix," said Sorin Mustaca, a data security expert with Avira, a German-based company that sells anti-virus software. "If you do a fix under a lot of pressure and very, very fast, then only one thing will happen: more vulnerabilities. So, for me, this is just the rain before the storm. I think it will get worse, it will get much worse."

Still, Mustaca recommended installing Oracle's security patch, which is available here: http://java.com/en/download/index.jsp

But once that is done, he advised computer users to disable Java and only switch it on when absolutely necessary for some functions, such as those that handle stock trades and employee payrolls.

Although Java is used occasionally by millions of people worldwide, it is generally not vital for most computer or web-based functions, several experts noted. Mustaca said he uses two browsers, one with Java plugged in for limited purposes and another that he uses more frequently without Java activated.

"You're better off disabling Java," said H. D. Moore, chief security officer with Rapid7, which helps businesses identify and deal with cyber vulnerabilities. "For the most part, you don't need it."

He gave Oracle of Redwood City credit for issuing the fix on Sunday, after Thursday's advisory from the federal Department of Homeland Security to disable Java because flaws found in the software could enable crooks to steal information and create other havoc for computer users. Oracle initially had said it would issue the fix on Tuesday.

"It's nice to see," since the company in the past has had a reputation for reacting slowly to flaws, Moore said. But he also noted that Java has experienced a number of previous security vulnerabilities and "there is no reason to think this is the last one."

© Copyright 2024 The Salt Lake Tribune. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.