The Washington Post

Oracle patches Java, but concerns remain

Oracle says it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. (Paul Sakuma/AP)

Oracle delivered an unusual emergency patch to its ubiquitous Java software Sunday to fix a malicious bug that allowed hackers access to users’ Web browsers. But some security experts continued to warn users Monday to stay away amid lingering concerns about the company’s ability to react quickly to security problems.

The latest security hole came to light last week after the Department of Homeland Security raised an alarm about the security hole. Even after Oracle released the patch, the agency recommended that users disable Java “unless it is absolutely necessary,” citing continuing problems with the program’s overall security.

Oracle confirmed that it had released a new patch, but did not return a call for comment on the lingering concerns.

Security experts estimate that Java is used in 3 billion machines, about 2 billion of which are desktop or laptop computers. The program was a backbone of Web sites in the early days of the Internet.

Nearly all computer programs have security flaws. But Java has a reputation for not quickly responding to potential issues, said Kurt Baumgartner, a senior security researcher at Kaspersky Labs. “They are very slow at handling problems,” he said.

Developers are moving away from Java in favor of other programs such as Adobe’s Flash, but Java remains a standard program for many kinds of business software. If the security concerns discourage developers from using the program, the move away from Java could accelerate, analysts said.

Oracle updates Java every four months, far less frequently than the monthly or even weekly updates other software gets. Researchers who report Java problems to Oracle often wait months for a fix. That was the case with a security problem the company patched in August — one that security researchers said they identified in April.

The long period of time between updates gives hackers time to take advantage of software problems, experts say.

Chester Wisniewski, a senior researcher at the security firm Sophos, said Java exploits accounted for about 90 percent of all Web-based attacks last year, or about 12,000 attacks a day. The problem Oracle addressed Sunday, he said, had already found its way into “exploit kits,” or ready-made code that hackers distribute and use to crack vulnerable sites.

Wisniewski said users should disable Java within their Web browsers for security reasons, and only enable it if they need it for a critical program.

“My recommendation is to remove it,” said Wisniewski, who has removed the program from his own devices. “Most people don’t need it.”

Baumgartner disagrees. He pointed to his company and others who have released antivirus suites and other tools that allow users to keep the benefits of the software while minimizing the risks.

“There are flaws in every software. It’s impractical to tell people you can’t use it,” he said. “It’s not a valid solution, in my opinion.

Sign up today to receive #thecircuit, a daily roundup of the latest tech policy news from Washington and how it is shaping business, entertainment and science.

Hayley Tsukayama covers consumer technology for The Washington Post.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
Don’t be ‘that’ sports parent | On Parenting
Miss Manners: The technology's changed, but the rules are the same
A flood of refugees from Syria but only a trickle to America
Play Videos
John Lewis, 'Marv the Barb' and the politics of barber shops
Kids share best advice from mom
Using Fitbit to help kids lose weight
Play Videos
This man's job is binge-watching for Netflix
Transgender swimmer now on Harvard men's team
Portland's most important meal of the day
Play Videos
5 ways to raise girls to be leaders
How much can one woman eat?
The signature drink of New Orleans

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.