Well that didn’t last very long: this morning Oracle released a fix for a Java vulnerability that had the government suggesting users turn off the software. As it turns out, The Department of Homeland Security is still saying that Java poses a risk, despite the fix. The Department said in an updated security note this afternoon that Java 7 Update 11 may not actually restrict access to privileged code.
That’s the whole reason we’re writing this post – in a zero day vulnerability, it was discovered that Java 7 update 10 was allowing unsigned applets and Web Start apps to run without permission, a potentially dangerous flaw that could give malicious folks access to your computer. That obviously isn’t good, but the patch delivered earlier this morning was intended to fix that by requiring unsigned or self-signed apps ask for permission before running.
In its note, Homeland Security explains, “Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe vulnerability (CVE-2012-3174). Immunity has indicated that only CVE-2012-3174 is addressed with this update.” The department is recommending that unless absolutely necessary, users should refrain from running Java in their browsers, even if the update has been applied. A difficult task, considering that hundreds of millions of computers out there are running Java.
If you need help turning Java off, you’re in luck, because we’ve put together a guide for all of the popular browsers out there. So, it looks like we should still keep Java turned off on our computers since this vulnerability reamins present in at least some capacity. We’ll be keeping an eye on Homeland Security to see if it lifts its warning anytime soon, and will update if Oracle has anything to say about this renewed warning. Stay tuned.