Main Menu

Quick Studies
Reseach & Technology
Technical Reports
Operating Systems
Everyday Science

Security Alert: Emergency turn-off of web Java now mandatory PDF Print E-mail
Written by Harris Georgiou   
Monday, 28 January 2013 00:00

Inormally do not put emergency security alerts in this pages, but due to the severity of this event, I thought that everyone should be warned as soon as possible:

"Oracle releases emergency Java patch; experts warn flaws may take 2 years to fix" (

Security Alert: Emergency turn-off of web Java now mandatory

Unfortunately, it seems that the worst fears about Java’s severe security holes have now become true.

Since the exploits are already included in various publicly available exploit kits (e.g. “Blackhole”) and the problems can not be fully addressed for the next 12-24 months, the best options right now are, from most drastic (and secure) to the mildest (and more dangerous):

  • uninstall Java completely, if not required on any Internet-connected device
  • disable web Java (JRE) in the browsers, from the Java control panel
  • leave web Java enabled, but disable the related plug-ins in the browsers
  • leave web Java enabled, as well as the plug-ins, but review every prompt carefully

The last option relies only on the fact that the latest patch (7u11) from Oracle sets the default security level to "high", so every Java applet will trigger a dialog prompt for the user before it is executed. Keep in mind, though, that this is the most dangerous option, since it takes one single successful attack to breach local security and enable full remote access to the device (not just infect it with some virus or spyware).

Status update (1-Feb-2013): "Oracle Responds to Java Security Flaws with 50 Fixes" (new version: "7u13")

Status update (2-Mar-2013): "New Java 0-Day Vulnerability Being Exploited In the Wild" (latest versions: "6u41/7u15")

Last Updated on Sunday, 24 March 2013 17:10