Sunday, January 13, 2013

Java Vulnerability

The U.S. Computer Emergency Readiness Team (US-CERT) recently issued an advisory bulletin regarding a serious security flaw in the Oracle Java Runtime Environment (JRE). I've read news articles about it in several places (here is one), and the comments sections universally show rampant confusion (and the inevitable flaming of the confused). A few key points:
  • JavaScript is not Java. In fact, they are essentially unrelated. There is no reason (or at least no reason related to the security bulletin) to disable JavaScript in your browser, and doing so will cause some web sites to become unusable.
  • It's a browser issue. The CERT bulletin recommends "... that Java be disabled temporarily in web browsers ..." (emphasis added) and provides a link to instructions from Oracle on how to do so. (Better instructions, IMHO, are here, courtesy of a link in the ZDNet article.) They are not recommending that Java be uninstalled. Uninstalling Java is liable to cause various programs (such as the OpenOffice and LibreOffice suites) to become inoperable. You just need to disable the Java browser plugin, either globally through the Java control panel or locally in each browser's plugin control page.
  • It may well be limited to Oracle Java. I have no idea whether the flaw exists in the OpenJDK runtime environment and the IcedTea plugin. My feeling is that very few websites require a Java browser plugin, so I'm inclined to disable IcedTea on my system just to be safe.
  • Help is coming. According to an article today on the PCWorld website, Oracle has a fix coming within a matter of days. So keep an eye out for notification of a Java update, and install it when it becomes available.

3 comments:

  1. Just for the sake of completeness:

    On monday, Oracle released Java 7 Update 11 which should fix this issue.

    ReplyDelete
    Replies
    1. Thomas,

      A post-patch article on ZDNet.com (http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/?s_cid=e589) quotes experts who seem to think there is more to be done before the plugin is safe.

      Delete
    2. Quick follow-up: Here's another story reporting continuing security holes.

      Delete

If this is your first time commenting on the blog, please read the Ground Rules for Comments. In particular, if you want to ask an operations research-related question not relevant to this post, consider asking it on OR-Exchange.