The end of August sparked panic for Java’s creator, Oracle and users when an emergency Java 7 patch opened the door for attacks. Though Oracle may not like to admit it, it seems that this news only showcased a previously undisclosed vulnerability that Oracle knew about all along.
Oracle released Java JDK/JRE 7 in order to fix vulnerabilities that were found by security researchers. This release was designed to address their concerns noted during an analysis of the program, but it seems that Oracle was aware of these same vulnerabilities back in April of 2012.
Java Vulnerabilities Exposed
In April 2012, Oracle’s third-party research company, Security Explorations, had notified Oracle of flaws in their Java program that were exploited by attackers. Though the new patch was designed to fix these flaws, Oracle neglected to repair them all, which means that users are still at risk. These unfixed flaws put users at risk by allowing attackers to exploit the Java virtual machine and disable sandbox mode.
What it Means for Java Users
Most computers do not even need Java. Though some computer applications rely heavily on the program (such as Minecraft), there are limited applications still using Java. Those that do need it do not actually need the Java tool downloaded on a user’s desktop in order to access it. Therefore, users can look into Java portable, which is the portable version of Oracle’s Java program. By using the portable version, users can ensure that Java does not automatically add itself to web browsers and will only run when the user allows it to.
Users who are worried about the vulnerabilities of Java should also look into disabling it from their web browsers. By doing so, a web browser will notify the user that they need to enable Java in order to access a site, which puts the user in control as to how often Java can access their computer.
As of right now, Oracle was informed of 31 separate issues and their latest patch only addresses 6 of those issues. Oracle has announced they plan to address the other 25 issues by October 2012, but until then, users should consider disabling Java until its obvious frailties are repaired.
[image via lcolumbus]