Researchers claim to have found more zero-day vulnerabilities in Java

Filed Under: Featured, Java, Malware, Vulnerability

Coffee cup. Image from ShutterstockA security research team that has alerted Oracle to a series of security flaws in Java in the past, says that it has uncovered new zero-day vulnerabilities in the software.

According to Polish firm update posted by Security Explorations, it has sent proof-of-concept code to Oracle's security team - so they can investigate the issue.

The concern is that the flaws could be exploited to completely bypass Java's security sandbox and infect computers in a similar fashion to the attacks which recently troubled the likes of Facebook, Apple and Microsoft.

In those cases, cybercriminals hacked legitimate websites and planted code which exploited Java vulnerabilities when developers visited using web browsers that had a vulnerable version of the Java plugin.

Update from Security Explorations

Softpedia reports Security Explorations CEO Adam Gowdiak as saying:

"Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way... Without going into further details, everything indicates that the ball is in Oracle's court. Again."

So, many computer users find themselves in what is becoming a disturbingly familiar situation - looking to see when Oracle will confirm that the flaws exist, and then waiting for the inevitable security update for Java.

Here's the best piece of advice we can give you right now:

If you don't need Java enabled in your browser, here's how to turn it off now

Many people who have Java enabled in their browser simply do not need it (By the way, don't mix up Java with JavaScript - they're different things), so the best solution for many folks is to rip Java out of their browser entirely.

If you don't need Java, why put yourself at risk?

Dirty cup of coffee image from Shutterstock.

, , , ,

You might like

9 Responses to Researchers claim to have found more zero-day vulnerabilities in Java

  1. gmd · 515 days ago

    Well java must be almost completely killed as a product by now with all this advice to turn it off in your browser! If people don't use it it will die.

    • akboss · 515 days ago

      not likely.
      Too many programs use Java and wont run without it.
      Case in point is the wife's work. Need java (extremely old java 1.1) to log into the companies site to do just about everything.

    • Nigel · 514 days ago

      Your comment might be true if the only way to run Java were as a browser applet plugin. But it's not. There are applications that require Java without any need for a web browser. People who use browsers are not the only people who use Java.

  2. Joe · 515 days ago

    There's nothing wrong with Java as an application language, with applications acquired from trusted sources, any more than there is with C++ or COBOL for that matter. It's the applets running in browsers that are the problem.

    And there's no reason the rules for applets can't be changed to make them safe at the expense of full Java functionality.

  3. Herny Tirebiter · 515 days ago

    Java's not dead, but all the hysteria sure is exciting for someone who writes the same sort of code but rebranded it as dot something or other. Don't write bad code, don't be a drooling maroon and run around being a complete idiot either.

  4. Joe Dirt · 515 days ago

    Java exploits in the browser have been used to infiltrate multiple companies. Say what you will about it being no different than other technologies, but it doesn't change the fact that it IS a major vector for hackers to infiltrate companies.

    And to be clear, it is more than just a browser problem. There is working code to exploit RMI services.

  5. marie · 515 days ago

    I've been following your posts on Java. A person I casually help with software stuff needed me to logon to his computer using GoToMyPC. That required me to install Java. -Is this the focal point of the warnings? If so, GoToMyPC needs an alternate method.

  6. Arerifx · 514 days ago

    I completely agree..if you don't need java,why put yourself at risk?
    But I am really concern about Java,when will this end?I don't think it will end..Oracle must take this seriously

  7. JACKI · 513 days ago

    IT WOULD BE NICE IF YOU WOULD POST A LIST OF THINGS THAT WE DO NEED JAVA FOR, AND DON'T NEED IT FOR. THAT WAY WE CAN BETTER CHOOSE TO DISABLE OR CONTINUE USING THE PROGRAM. THANKS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.