Oracle releases security update to address Java vulnerability in DHS alert

By Jennifer Martinez - 01/14/13 03:05 PM ET

Oracle released a software update on Sunday to address a security vulnerability in its Java 7 software on which the Department of Homeland Security (DHS) issued an alert last week.

In a blog post, Eric Maurice, a software security assurance director at Oracle, said the company recommended that users install the security patch "as soon as possible because these issues may be exploited 'in the wild' and some exploits are available in various hacking tools." Maurice said the patch addressed two vulnerabilities found only on Java software in Web browsers.

But the department encouraged users to disable Java in their browsers even if they installed the security patch released by Oracle, saying they should refrain from running Java "unless it is absolutely necessary."

In a statement, a DHS official said its Computer Emergency Readiness Team "estimates that it may take some time for researchers to digest the latest patch that’s been distributed to address the vulnerability," adding that it "will continue to monitor the situation and issue updates as they become available.”

The department's Computer Emergency Readiness Team issued an alert last Thursday warning that hackers could take advantage of a security vulnerability found in Oracle's Java 7 software versions to attack people's computer systems. The department said a hacker could lure people to visit a malicious website or a poisoned link that had the manipulated Java software loaded on it.

"Java 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system," the department said.

Any Web browser using the Java 7 plug-in is affected, according to the DHS alert, and it's recommended that users "consider disabling Java in web browsers until adequate updates are available" in order protect their computer systems against this particular security vulnerability and future ones.

Java is a type of programming language that can be used to build Web applications and run across various platforms. Maurice said Oracle is setting the security level for Java to "High," so users will "expressly authorize the execution of [Java] applets which are either unsigned or are self-signed," meaning they likely stem from hackers.

— This post was updated at 6:48 p.m.