Millions of computer users were advised Friday to temporarily disable Oracle's (ORCL) Java software because of security weaknesses that make their machines vulnerable to everything from virus-infected websites to "ransomeware," which often locks users out of their computers until they pay the perpetrators.

Oracle said it will issue a patch Tuesday that contains "86 new security vulnerability fixes." It added that "due to the threat posed by a successful attack, Oracle strongly recommends" that customers update Java on their computers with the patch as soon as possible.

Java

Computer users are being advised by security experts to disable Oracle Corp's widely used Java software after a security flaw was discovered in the past day that they say hackers are exploiting to attack computers. Three computer security experts told Reuters on January 10, 2013 that computer users should disable those Java modules to protect themselves from attack. A spokeswoman for Oracle said she could not immediately comment on the matter. REUTERS/Stephen Lam/Files (STEPHEN LAM)makes it easy for software programs to run on most computers and websites, and it is widely used throughout the world.

In a warning Thursday, the Department of Homeland Security advised people to disable Java in Web browsers, presumably until Oracle is able to correct the problem. Instructions from Oracle on how to disable Java can be found at www.java.com/en/download/help/disable_browser.xml. However, some security bloggers have warned that disabling Java can be complicated.

Apple (AAPL) disabled newer versions of Java from its personal computers Thursday night, but will let

its customers use the software again if they upload Oracle's fixes, according to a knowledgeable source.

In addition, Mountain View-based Mozilla said in a blog post that it has begun blocking Java on its Firefox browser unless someone clicks on a feature to activate the software. The click-to-play feature "allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site," the blog said.

The Department of Homeland Security noted that

Internet security
Cybercrime, hacking and other security coverage.

"reports indicate this vulnerability is being actively exploited" by cybercrooks, who could use the flaw to lure computer users to virus-infected websites. Some crooks already are selling "exploit kits" to other crooks to take advantage of Java's problems, said Liam Murchu, a researcher with Mountain View security firm Symantec.

He said one common scam that could be exploited with the Java flaw is to shut down a user's computer with a ransomeware virus and then demand money to unlock the machine. Another, he said, is to send a user an official-looking message saying their computer is infected and then dupe them into paying for a phony anti-virus product that doesn't work.

Murchu said Symantec has determined that its Norton anti-virus software can block current versions of malware designed to take advantage of the Java vulnerabilities. So if a person has Norton installed on their computer, he said, "theoretically they shouldn't need to disable Java."

However, he said, crooks may issue new types of malware that might temporarily evade Symantec's software. "So if you really wanted to be safe," he suggested disabling Java until it can be updated with Oracle's patch.

Murchu added that shutting off Java shouldn't cause huge problems for most people, unless they need to access a website that requires the Oracle software, such as some payroll-related sites. In those instances, the user may need to turn on Java just long enough to access that site and then turn it off until the patch can be issued.

"Unfortunately, turning it on and off for most people is cumbersome," Murchu said. And while it may be unlikely a computer would be infected during the brief time it's running Java, he added, "you basically never know when you're going to be hit."

Thank you for helping spread this information. In future, you may make your postings more potentially effective by making it shorter and less technical and including links to source material so that readers who are interested can investigate further and those less so inclined can get the meat of the message quickly and simply.

Yeah, Shorten this up. I couldn't focus long enough to read it all. Java is a pain when it isn't having problems. I kind of wish it would just go away. One of my computers disables it from the get-go.

One article I read suggested going to Java.com and clicking on the "Do I have Java?" link. This sure was easier than the majority of the fixes I found. Come to find out, it wasn't on my computer anyway. I'm guessing my anti-spam software removed it as I'm pretty sure I didn't. (?)

I'd like to publish info on my site too, to make Classmates aware of the threat. If anyone has a shorter version than William's, I hope they post it here.

Thank you William for posting! Even though your article was long, there was a lot of good info in it!

I always have downloaded java separate as a stand alone application. Since some websites use java for scripting and other possible things, I have felt bound to the application.

I discarded the warning notice I received so the short version is not here.

Suffice it to say that java (as it is written now) contains a security risk that would allow a hacker to compromise your computer and steal valuable information and data you may have stored on your computer hard drive. That all there is plan and simple.
Sun was rewriting or recoding java to circumvent the the problem in the programing code.

This same thing has happen before in all computer Operating Systems and will happen again. Computer languages are all imperfect at best. Any program can be written in several different ways and many different computer languages. You will always have this same threat to face on computers.

Not that it changes anything, but computer languages in general are not imperfect at all. It's the CODE/CODER that's imperfect. Coders just don't think about security issues or add safety checks in the code. It's like an engineer that builds a very strong building but forgets about earthquakes.

Java is somewhat of a cross between a language and an operating system (JRE). IOW, the Java Runtime Environment (JRE) is what you download to run Java code. JRE is actually at fault for not being secure, not the language per se. What malicious code does is exploit the JRE code.

Most Operating Systems are very secure. I've worked on several. For example, the system in ATM's is impenetrable and so are just about all standalone systems, for example the one that runs an airplane or the one in your GPS or the Operating System that runs your car's engine and brakes.

FWIW - Javascript is not the same as Java (JRE). So disabling Java will not affect Javascripts (run by the browser's code). Javascript is used extensively by CC on every single page.

Flash is somewhat similar. That's one reason Apple dropped it. Check out these security updates It's a GIANT list.

(Minor detail: Technically, not any program can be written in any language. For example, I can write code in C that you can't do in any way in Basic. Similarly it's easy to write assembler code that can't be done in ANY language.)

Here are instructions for how to disable JAVA per browser

You rarely need Java and you will be informed if you do.

I posted link to fixed version 7. If your system did not download this automatically, then your Java update settings are incorrect. You should have it set to check for updates.

More info HERE

Point is that computer languages are imperfect due to the fact that there are so many ways to write a program but no way of knowing if this it's the wrong way and still works perfectly. The very way hackers get into the language holes is by discovering something new about a certain way a program was written and exploiting that glitch. We all have written programs that worked but for some strange reason we found the necessity to redo a part that caused the program to do unwanted things. I wrote such a one in college that neither I nor the professor could find the bug or glitch. It was written correctly but continued to return a strange value at times. You are correct programers do mis-code at times but no one can predict what the hacker is going to find.

Computer languages are not imperfect in the way you imply. I'm being very specific here - the language is what it is. It can't have any mistakes in it since it's only a choice of 'words' to use.

It's true that code can't be 'proven' to be correct (except for a few languages) - a somewhat esoteric topic. Generally, if a program 'works' it doesn't really matter how it's written. Like writing in English, we can arrange words in many different ways, yet they can explain the same topic. That's why there are so many books on the same subject. All different, yet all the same.

Here's an example that is a very common mistake and nothing to do with a language. A user reserves 20 characters for a user's name. He doesn't check for how many characters are entered. Is that a language flaw or a coding flaw? That's a simple example of buffer overflow exploit that virus code exploits. How common is this? Very common.

The code sample you experienced is really the compiler that has a bug. Remember, it's also just a program. In the old days (I started coding in 1964) it was more common for compilers (C, Cobol, Fortan, Pascal, etc) to generate incorrect code (impossible in assembler - it's always what you code).

Very often support modules (DLL code) has bugs (including security holes) - not too unusual, just look at your Window updates and note that they are updating DLL code. Neither of those are language imperfections. Just plain coding errors, no different from JRE errors actually.

Here's a much longer explanation of buffer overflow

Often with any language computer or linguistic it is what is not said or a new or different meaning can result. While more ridged, computer languages can have wording or code sections that can be a hackers play ground if carefully exploited. But let us no longer concern ourselves. Maybe Java will be fixed or maybe we'll get a replacement to begin this cycle all over again with hacking holes. My last response. I apologize for misuse of this great Web source. CC thanks.

I'm not coming across. Compilers generate code. Compilers have bugs. That has nothing to do with malicious code exploits. A compiler (with no bugs) only generates the code it was told to generate. It doesn't make new meanings all by itself. If that were so, no complicated program would ever work if I couldn't trust the compiler.

For example, I have a program with a million lines of code. Some areas may not work quite right because I made a mistake in the code, not the language, not the compiler.

Malicious code is simply code where someone has figured out that a CODER has made a mistake. It really has nothing to do with any language. Technically even assembler code has bugs, which just means a coder problem. An example of that is in drivers where assembler is a bit more common.

Higher level languages are at least 1-step removed from the actual machines language - AKA assembler. Java is 2 steps removed and so is Flash. IOW, the language is not run directly on the processor but indirectly via JRE or Flash. Original Basic was exactly the same way.

This is a difficult thing for people to grasp outside the field since it tends to want to be simplified because of the abstract nature of the beast.

Java is fixed for now. I posted a link in other topic. Your system should automatically update if check updates was enabled (and it should be for all the stuff one runs - although I prefer to install myself thank you.)

I think it's important for people to get an understanding of what and why malicious code exists and works. My purpose is to attempt to explain in a short space how all this works and not to get either freaked out or too comfortable just because they have turned something off or are running some anti-virus. Nothing is 100% safe when browsing.

I was aware of your point. I started with Commodore Basic and went on to Machine Coding even used different compilers (even though relatively speaking all or types of compilers). So many of these are dead or moth balled like PASCAL, COBOL and FORTRAN even binary code is not real computer language. Really Computers are just bits on and off. Just musing having a little of boyish fun at 67 Friday. So have a great day and may we not face problems personally from things like this recent one in Java. Most of us never do anyway.

Surprisingly Pascal, Cobol and Fortan languages are alive and well. Many big banks/business use Cobol on their IBM mainframes. They serve specific mainstream markets where they are well suited. There are a few languages intended for bigger things that never gained significant traction: ADA and PL/I are 2 that I recall.

Not sure what is meant by "not real computer language" since anything that's not direct machine code is a de facto computer language.

I was referring to everyday programing as is the situation with personal PC. I did a couple of these languages in College. Even there were replacements being distributed.

This thread is concerning some of our admins planning to attend the webinar tomorrow evening.

If you are attending the webinar, run the test on your computer. Should you need Java, it is up to you to decide to install it or miss the webinar. Personally, I chose to download and reinstall Java. I am NOT missing the webinar, are you?

"Everyday programming" is not just for PCs. Why do you think that? Programming is programming and languages are languages. All those languages I mentioned also exist in PC form. Pascal is fairly common and larger organizations also use PC forms of Fortran (engineers) and Cobol (banks). Everday programming comprises a pretty large range of languages

Java is no different now since it was created - lots of bugs. Flash is also the same - lots of bugs. And Windows - lots of bugs. What are bugs? Coding mistakes by a coder - not the language.

If the Webinar requires Java - then the enable/disable choice is the easiest. Remember Java is not the culprit per se, the sites one visits are the problem.

Gentlemen,
I hope to see you in the webinar tomorrow and on TAP soon. Do come to TAP and share your knowledge.
Until then...
Smile!

Thanks. Maybe this will end this ongoing thread discussion for now so we can move on.