Java flaw still worries some experts, despite fix
Published: January 15, 2013 12:03PM
Updated: January 15, 2013 12:01PM
image
FILE- This April 23, 2007 file photo shows the Java logo at Sun Microsystems' offices in Menlo Park, Calif. On Monday, Jan. 14, 2013, Oracle says it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. (AP Photo/Paul Sakuma, File)

Despite Oracle’s emergency fix to patch a serious vulnerability in its widely used Java software, several security experts on Monday advised computer users to minimize using the product, because of fears more flaws will be discovered.

“This is definitely a temporary fix,” said Sorin Mustaca, a data security expert with Avira, a German-based company that sells anti-virus software. “If you do a fix under a lot of pressure and very, very fast, then only one thing will happen: more vulnerabilities. So, for me, this is just the rain before the storm. I think it will get worse, it will get much worse.”

Still, Mustaca recommended installing Oracle’s security patch, which is available here: http://java.com/en/download/index.jsp

But once that is done, he advised computer users to disable Java and only switch it on when absolutely necessary for some functions, such as those that handle stock trades and employee payrolls.

Although Java is used occasionally by millions of people worldwide, it is generally not vital for most computer or web-based functions, several experts noted. Mustaca said he uses two browsers, one with Java plugged in for limited purposes and another that he uses more frequently without Java activated.

“You’re better off disabling Java,” said H. D. Moore, chief security officer with Rapid7, which helps businesses identify and deal with cyber vulnerabilities. “For the most part, you don’t need it.”

He gave Oracle of Redwood City credit for issuing the fix on Sunday, after Thursday’s advisory from the federal Department of Homeland Security to disable Java because flaws found in the software could enable crooks to steal information and create other havoc for computer users. Oracle initially had said it would issue the fix on Tuesday.

“It’s nice to see,” since the company in the past has had a reputation for reacting slowly to flaws, Moore said. But he also noted that Java has experienced a number of previous security vulnerabilities and “there is no reason to think this is the last one.”