Future Tense

Oracle Fixes Java After Months of Silence, But You Might As Well Keep It Turned Off

oracle headquarters

Oracle headquarters in Redwood Shores, California.

Photo by Justin Sullivan/Getty Images

Oracle today released a new version of Java, plugging security holes so severe that experts recommended that Internet users disable the plugin immediately. The fix is available for download here for users and here for developers. “Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” the company wrote in a blog post.

But that urgency stands in contrast to how Oracle seemed to handle the problem. For four days after security researchers publicly reported that hackers were exploiting flaws in the Java web browser plug-in to gain access to people’s computers, the company was silent. I called at least five representatives and emailed the company’s main PR address, and heard in response not a peep.

Ah, but talk is cheap, and the four-day turnaround for the fix suggests that at least Oracle was quick in its actions, right? Well, maybe. But yesterday afternoon, IDG News Service’s Lucian Constantin reported that Polish security researcher Adam Gowdiak had actually notified the Redwood Shores-based company of the problem way back in April. Gowdiak told IDG that an Oracle status report dated Aug. 23 indicated the company was planning to fix the vulnerabilities in its regularly scheduled October update. Its previous update, in June, fixed only three of 29 issues that Gowdiak said he had reported. (A post from Softpedia has additional technical details, for those fluent in computer programming.)

And Alex Lanstein of the security firm FireEye, which publicly reported the Java attacks on Sunday, told me in an email that they had been going on much longer than that.

So for all those who followed my advice and disabled Java, is it now time to turn it back on? Unless you need it, probably not, experts say. Lanstein’s take: “We never recommend users run unnecessary software, so if there isn’t a current need for Java, we’d recommend keeping it disabled until it is needed, and of course, patched to the most recent version.” And Sophos’ Chet Wisniewski: “Less programs, less vulnerabilities. If you don’t really need it, don’t enable/install it.”

Note: I mentioned this in my first post, but it is confusing enough that it bears repeating: Java is not related to Javascript. Disabling Javascript will do nothing to protect you from these attacks, and will probably impair your ability to view a bunch of websites that you use on a regular basis. Java applets, on the other hand, have become relatively scarce on the Web over time.