Security

Homeland Security: Sorry, Oracle, your fix isn’t good enough

The Department of Homeland Security warned today that you should still disable Java soon after Oracle released a patch for a hole in Java that enabled hackers to sneak into your computer to steal information or hook you up to a botnet.

“DHS is skeptical because it’s highly likely yet another Java vulnerability is found soon, starting this all over again,” said F-Secure chief research officer Mikko Hypponen in an email to VentureBeat. “The problem is the Java plugin in the browser. Remove the plugin from your daily browser. Then, if some site that you really need needs Java, use a secondary browser with the plugin enabled just for that site.”

The hole recently fixed in Java 7 enables an attacker to secretly install software on your computer by using an infected website to access Java and secretly slip into your system. Criminals may also create fake websites intended to trick a user into thinking that it is legitimate. From there, the hackers can grab your personal information or use your computer as part of a botnet string that could be used to attack other systems.

“Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11,” the Department of Homeland Security warned in its advisory, “This will help mitigate other Java vulnerabilities that may be discovered in the future.”

The hole affects Windows computers, Macs, and Linux machines. DHS warns that other devices that use Java 7 may also be at risk.

Oracle provides detailed instructions on how to disable Java on a number of different systems on its website.

hat tip The New York Times; Homeland Security image via DonkeyHotey/Flickr