Yesterday, the Department of Homeland Security issued a warning regarding Java, advising users to disable it in their web browsers. Following this was a Critical Patch Update Pre-Release Announcement from Oracle, which suggests that users temporarily disable it because of security issues. Says the advisement, Java leaves the computer open to attack.
The warning was posted by the Department of Homeland Security's Emergency Readiness Team, which issued Vulnerability Note VU#625617 to address the issue. Says the advisory, "Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers as described in the "Solution" section of the US-CERT Alert and in the Oracle Technical Note 'Setting the Security Level of the Java Client.'"
Using the vulnerability in Java, individuals with malicious intent can exploit the weakness to infect the machine. Ready-made exploit kits are available for sale online that take advantage of the issue, making it a fairly simple task for anyone to perform. With the kits, randsomeware can be placed on machines and identities can be stolen, among other things.
Oracle has stated that it will release a patch for the issue on January 15 that will fix 86 security vulnerabilities. The company is requesting that users update Java as soon as the possible after the patch is released. In response to the advisory from the Department of Homeland Security, Mozilla announced that newer Java plug-ins on Firefox are now blocked from auto-loading unless the user manually authorizes it.
[via Mercury News]