Oracle patches Java, but concerns remain

Oracle delivered an unusual emergency patch to its ubiquitous Java software Sunday to fix a malicious bug that allowed hackers access to users’ Web browsers. But some security experts continued to warn users Monday to stay away amid lingering concerns about the company’s ability to react quickly to security problems.

The latest security hole came to light last week after the Department of Homeland Security raised an alarm about the security hole. Even after Oracle released the patch, the agency recommended that users disable Java “unless it is absolutely necessary,” citing continuing problems with the program’s overall security.

Oracle confirmed that it had released a new patch, but did not return a call for comment on the lingering concerns.

Security experts estimate that Java is used in 3 billion machines, about 2 billion of which are desktop or laptop computers. The program was a backbone of Web sites in the early days of the Internet.

Nearly all computer programs have security flaws. But Java has a reputation for not quickly responding to potential issues, said Kurt Baumgartner, a senior security researcher at Kaspersky Labs. “They are very slow at handling problems,” he said.

Developers are moving away from Java in favor of other programs such as Adobe’s Flash, but Java remains a standard program for many kinds of business software. If the security concerns discourage developers from using the program, the move away from Java could accelerate, analysts said.

Oracle updates Java every four months, far less frequently than the monthly or even weekly updates other software gets. Researchers who report Java problems to Oracle often wait months for a fix. That was the case with a security problem the company patched in August — one that security researchers said they identified in April.

The long period of time between updates gives hackers time to take advantage of software problems, experts say.

Chester Wisniewski, a senior researcher at the security firm Sophos, said Java exploits accounted for about 90 percent of all Web-based attacks last year, or about 12,000 attacks a day. The problem Oracle addressed Sunday, he said, had already found its way into “exploit kits,” or ready-made code that hackers distribute and use to crack vulnerable sites.

Wisniewski said users should disable Java within their Web browsers for security reasons, and only enable it if they need it for a critical program.

“My recommendation is to remove it,” said Wisniewski, who has removed the program from his own devices. “Most people don’t need it.”

Baumgartner disagrees. He pointed to his company and others who have released antivirus suites and other tools that allow users to keep the benefits of the software while minimizing the risks.

“There are flaws in every software. It’s impractical to tell people you can’t use it,” he said. “It’s not a valid solution, in my opinion.

Sign up today to receive #thecircuit, a daily roundup of the latest tech policy news from Washington and how it is shaping business, entertainment and science.