Oracle has just released an emergency update to its Java, which was intended to fix major security vulnerability in the software. However, security experts warn that the released update isn’t effective and Oracle shouldn’t have bothered.
The update was released after the Department of Homeland Security urged users all over the country to disable Java due to presence of bugs in the software. US Homeland Security warned that Java was being used to commit identity theft.
According to Adam Gowdiak, a Polish researcher from Security Explorations, who has found a number of bugs in the software over 2011, the latest update from the company still leaves a few important security vulnerabilities unfixed, so he wouldn’t recommend users to enable Java again.
The fact that Oracle isn’t able to fix the software means that computers running Java in their web browsers are still vulnerable to attack by anyone seeking to steal personal details and use them later in scams. Moreover, the scale has already reached the point where the largest security outfits recommend companies to remove Java from the web browsers of all employees, except for those who can’t go without it.
It seems that things might get even worse. For instance, HD Moore, chief security officer with Rapid7, believes that it will take Oracle no less than 2 years to fix all the security flaws for the version of Java used for surfing the Internet. He pointed out that it might be better to assume that Java would always remain vulnerable, but people anyway don’t actually need it.
In response, Oracle claimed that its latest update fixed 2 bugs in the version of Java 7 for Internet browsers. In addition, it switched Java’s security settings to “high” by default, thus making it more difficult for suspicious software to run on a computer without the knowledge of the user.
Source - ET Article
The update was released after the Department of Homeland Security urged users all over the country to disable Java due to presence of bugs in the software. US Homeland Security warned that Java was being used to commit identity theft.
According to Adam Gowdiak, a Polish researcher from Security Explorations, who has found a number of bugs in the software over 2011, the latest update from the company still leaves a few important security vulnerabilities unfixed, so he wouldn’t recommend users to enable Java again.
The fact that Oracle isn’t able to fix the software means that computers running Java in their web browsers are still vulnerable to attack by anyone seeking to steal personal details and use them later in scams. Moreover, the scale has already reached the point where the largest security outfits recommend companies to remove Java from the web browsers of all employees, except for those who can’t go without it.
It seems that things might get even worse. For instance, HD Moore, chief security officer with Rapid7, believes that it will take Oracle no less than 2 years to fix all the security flaws for the version of Java used for surfing the Internet. He pointed out that it might be better to assume that Java would always remain vulnerable, but people anyway don’t actually need it.
In response, Oracle claimed that its latest update fixed 2 bugs in the version of Java 7 for Internet browsers. In addition, it switched Java’s security settings to “high” by default, thus making it more difficult for suspicious software to run on a computer without the knowledge of the user.
Source - ET Article
Java kiyanne software engineering wala backbone eka oka wahala kohomada? 
