The U.S. Department of Homeland Security’s Computer Emergency Readiness Team says no one should use Java until Oracle fixes a hole that permits attackers to jump inside your computer and steal information.
“We estimate that about 100 million computer users are now in immediate danger of getting exploited. Given the current circumstances – wide availability of the exploit code and no fix from Oracle scheduled for the near future – disabling the Java feature in the browser is the wisest choice,” Bitdefender senior e-threat analyst Bogdan Botezatu told VentureBeat in an email.
Java is a widely-used programming language, now overseen by Oracle, that runs on many different platforms, including PCs, Macs, and mobile devices. Java programs are supposed to run in a secure “sandbox,” but security researchers recently found a vulnerability that allows attackers to infect that computer’s systems with software that further allows them to steal personally identifiable information. Of course, that can lead to bank accounts being drained or identity theft.
Beyond that, however, the hole also lets the attacker hook your computer up to a botnet, or a string of computers that can be used to do the bidding of the cyber criminal.
The malicious software is distributed through infected websites that Homeland Security points out could be made to look like legitimate websites.
“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the Homeland Security advisory states. “To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available.”
This vulnerability only affects PCs, but a recent and similar incident involving the “Flashback Trojan” showed that Java has weaknesses in Macs as well. According to MacRumors Apple isn’t taking any chances this time and has blacklists Java entirely for its OS X.
We have contacted Oracle and will update the post if we hear back from the company.
UPDATE 1/12/2013: Oracle has stated that “a fix will be available shortly” for the Java flaw, Reuters reports.