US homeland security warns against enabling Java in browsers

Saturday, 12 January 2013 - 12:20am IST | Agency: Reuters

Earlier in October, Apple began removing old versions of Java from Internet browsers of Mac computers by installing new versions of its OS X operating system.

According to the  US department of homeland security, hackers have figured out a way to exploit Java to install malicious software, enabling crimes ranging from identity theft to inclusion of infected computer in an ad-hoc network that acts against other websites.

Amplifying security experts' prior warnings to the hundreds of millions of consumers and businesses that use it to surf the Web, the homeland security department has urged computer users to disable Oracle Corp's Java software.

However,  the department of homeland security's computer emergency readiness team has admitted on its website late on Thursday that it is "currently unaware of a practical solution to the problem".

"To defend against this and future Java vulnerabilities, disable Java in Web browsers." Java is a computer language that enables programmers to write software utilising just one set of code that will run on virtually any type of computer, including ones that use Microsoft Corp's Windows, Apple Inc's OS X and Linux, an operating system widely employed by corporations.

Computer users access Java programs through modules, or plug-ins, that run Java software on top of browsers such as Internet Explorer and Firefox.

The US government's warning on Java comes on the heels of a warning of the newly discovered flaw of by security experts earlier on Thursday. It is relatively rare for government agencies to advise computer users to completely disable software due to a security bug, particularly in the case of widely used programs such as Java.

In September, the German government advised the public to temporarily stop using Microsoft's Internet Explorer browser to give it time to patch a security vulnerability that opened it to attacks.

The department of homeland security said that attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java. It said that an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.

They said developers of several popular tools known as exploit kits, which criminal hackers use to attack PCs, have added software that allows hackers to exploit the newly discovered bug in Java to attack computers. Security experts have been scrutinizing the safety of Java since a similar security scare in August, which prompted some of them to advise using the software only on an as-needed basis.

At the time they advised businesses to only allow their workers to use Java browser plug-ins when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc. Adam Gowdiak, a researcher with Polish security firm Security Explorations, subsequently said that he had found other security bugs in Java that continued to make computers vulnerable to attack.

Java suffered another setback in October when Apple began removing old versions of the software from Internet browsers of Mac computers when its customers installed new versions of its OS X operating system. Apple did not provide a reason for the change and both companies declined comment at the time.

Jump to comments

Recommended Content