Java broken for at least two years

Oracle released an emergency update to its Java software over the weekend designed to fix a major security flaw in the software, but security experts warned that the update does not work and the company should not have bothered.

The update was released after the US Department of Homeland Security urged PC users to disable Java because of bugs in the software.

Java was being exploited to commit identity theft and other crimes, Homeland Security warned.

Adam Gowdiak, a researcher with Poland’s Security Explorations, who has discovered several bugs in the software over the past year, told Reuters  that the update from Oracle leaves several important security flaws unfixed.

He would not dare to tell users that it’s safe to enable Java again.

The fact that Oracle can’t fix the software means that PCs running Java in their browsers remain vulnerable to attack by criminals seeking to steal personal details to use in scams.

It has reached the point where some security outfits are advising businesses to remove Java from the browsers of all employees, except for those who absolutely need it.

It appears that things will get worse. HD Moore, chief security officer with Rapid7, thinks that it will two years for Oracle to fix all the security bugs for the version of Java that is used for surfing the web.

Moore said that it was better to assume that Java is always going to be vulnerable. Anyway, people don’t really need it on their desktop.

Oracle said that its update fixed two vulnerabilities in the version of Java 7 for web browsers. It also switched Java’s security settings to “high” by default, making it more difficult for suspicious programs to run on a PC without the knowledge of the user.