Responding to the discovery of active exploits for a security vulnerability in Java, Oracle issued an emergency patch for the problem on Sunday. However, some security experts warn that the update doesn’t fully address the problems.
The BBC reported, “Oracle issued an emergency update to its widely-used Java web software on Sunday, but experts say it still contains security flaws. Last week the US government advised users to disable it because of a bug that leaves computers vulnerable to being hacked. Security specialists claim the fix has not done enough to make PCs secure.”
Computerworld’s Greg Keizer noted, “The decision to release an emergency security update outside Oracle’s normal schedule — the first time the company has done so since August 2012 — was triggered by confirmation last week that several notorious cybercrime kits were exploiting a ‘zero-day,’ or unpatched vulnerability in Java.”
According to Jim Finkle from Reuters, “Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws. ‘We don’t dare to tell users that it’s safe to enable Java again,’ said Gowdiak, a researcher with Poland’s Security Explorations.”
The Washington Post’s Hayley Tsukayama explained, “Cybersecurity experts encouraged consumers to download the patch immediately, but some also continued to raise questions about Java’s security since the program has had numerous problems in recent months. And the fixes Oracle released, experts said, may not go deep enough. ‘Note that the vulnerabilities Oracle just patched don’t apply to standalone Java applications or server-side Java installs. They apply only to applets, which run inside your browser,’ wrote Sophos security researcher Paul Ducklin in a blog post Sunday.”