Blackhole blacklisted

Max-severity Java security exploit plugged

Elliot Bentley

But security experts warn that it “could take two years” for Oracle to fix Java’s remaining vulnerabilities.

Oracle has released a security update to the Java security vulnerabilities that emerged on Friday, but not without further damage to the language’s reputation.

Having been discovered and unleashed into the world by the ‘Blackhole’ exploit kit, which can be used to quickly convert a compromised website into a malware launchpad, the vulnerabilities have since received a CVSS score of 10.0 – the maximum severity rating possible.

The exploit is considered so dangerous that even the Department of Homeland Security got involved, posting a bulletin recommending that Java be disabled in web browsers “due to the number and severity of this and prior Java vulnerabilities”.

Oracle’s emergency update provides fixes for two vulnerabilities being exploited in the wild, CVE-2013-0422 and CVE-2012-3174, and switches security setting to the highest level by default – requiring users to explicitly accept unsigned applets.

In the previous minor update, Oracle introduced a simple control for disabling Java in the browser, and this change to its default settings could be seen as a further admission of Java’s seemingly unending security woes.

An accompanying blog post opens with some damage control, reminding that the vulnerabilities “do not affect Java on servers, Java desktop applications, or embedded Java”.

While the vulnerabilities exploited by Blackhole appear to have been plugged, Reuters were told by corporate security company Rapid7 that Java is still riddled with so many known security issues that it “could take two years” to fix.

“The safest thing to do at this point is just assume that Java is always going to be vulnerable,” said the company’s chief security officer. “Folks don’t really need Java on their desktop.”

Inline Feedbacks
View all comments