FILE- This April 23, 2007 file photo shows the Java logo at Sun Microsystems' offices in Menlo Park, Calif. On Monday, Jan. 14, 2013, Oracle says it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. (AP Photo/Paul Sakuma, File)

Java flaw still worries some experts, despite fix

By Steve Johnson

| San Jose Mercury News

First Published Jan 15 2013 11:54 am • Last Updated Jan 15 2013 12:01 pm

Despite Oracle’s emergency fix to patch a serious vulnerability in its widely used Java software, several security experts on Monday advised computer users to minimize using the product, because of fears more flaws will be discovered.

"This is definitely a temporary fix," said Sorin Mustaca, a data security expert with Avira, a German-based company that sells anti-virus software. "If you do a fix under a lot of pressure and very, very fast, then only one thing will happen: more vulnerabilities. So, for me, this is just the rain before the storm. I think it will get worse, it will get much worse."

Still, Mustaca recommended installing Oracle’s security patch, which is available here: http://java.com/en/download/index.jsp

But once that is done, he advised computer users to disable Java and only switch it on when absolutely necessary for some functions, such as those that handle stock trades and employee payrolls.

Although Java is used occasionally by millions of people worldwide, it is generally not vital for most computer or web-based functions, several experts noted. Mustaca said he uses two browsers, one with Java plugged in for limited purposes and another that he uses more frequently without Java activated.

"You’re better off disabling Java," said H. D. Moore, chief security officer with Rapid7, which helps businesses identify and deal with cyber vulnerabilities. "For the most part, you don’t need it."

He gave Oracle of Redwood City credit for issuing the fix on Sunday, after Thursday’s advisory from the federal Department of Homeland Security to disable Java because flaws found in the software could enable crooks to steal information and create other havoc for computer users. Oracle initially had said it would issue the fix on Tuesday.

"It’s nice to see," since the company in the past has had a reputation for reacting slowly to flaws, Moore said. But he also noted that Java has experienced a number of previous security vulnerabilities and "there is no reason to think this is the last one."

Copyright 2013 The Salt Lake Tribune. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

About Reader Comments

---

Reader comments on sltrib.com are the opinions of the writer, not The Salt Lake Tribune. We will delete comments containing obscenities, personal attacks and inappropriate or offensive remarks. Flagrant or repeat violators will be banned. If you see an objectionable comment, please alert us by clicking the arrow on the upper right side of the comment and selecting "Flag comment as inappropriate". If you've recently registered with Disqus or aren't seeing your comments immediately, you may need to verify your email address. To do so, visit disqus.com/account.
See more about comments here.