Oracle Patches Critical Java Security Hole
CREDIT: Peter Baxter/Shutterstock.com
Oracle has fixed the hole in its Java software that left most of the world's computers vulnerable to cybercriminals over the weekend.
The emergency update pushes Java up to version 7.11, or "7u11," and, more important, bumps the default security settings for Web-based Java applets up a notch.
That means users will have to approve every single instance of Java that they encounter online.
"Previously, as long as you had the latest secure Java release installed, applets and Web-start applications would continue to run as always," Oracle's update release note read. "With the 'High' setting, the user is always warned before any unsigned application is run to prevent silent exploitation."
That step will go some way toward preventing further exploitation of Java vulnerabilities by criminals and other malicious hackers.
But, as a thousand phony Adobe Flash updates have shown, it's really quite easy to trick users into approving the installation of malicious software. There's no reason to think criminals won't do the same with deceptive Java-applet permissions.
The best thing to do would be to update your Java installation to version 7.11 — and then to turn it off for all Web browsers unless you absolutely need it. Our article from Friday (Jan. 11) explains how. (Java-based applications that don't use the Internet will run fine.)
If you do need Java in the browser for work or other, the advice from security blogger Brian Krebs is probably best: Minimize your exposure by enabling Java for one browser only, such as Firefox or Opera, and then use that designated browser only for Java-based work.
Use other browsers for everything else, and don't copy and paste URLs from them into the designated Java browser.
The latest vulnerability, discovered Thursday (Jan. 10), affected Windows PC, Macs and Linux machines alike, and left users susceptible to browser exploit kits that used hidden links and corrupted ads to infect computers with banking Trojans, ransomware and all sorts of other digital nastiness.