CERT recommends disabling Java altogether, as it is unaware of a solution to the issue. | REUTERS Feds issue warning on Java security

The U.S. Department of Homeland Security is recommending that Internet users disable Java in their Web browsers after pinpointing vulnerability in the Oracle software.

According to a Thursday afternoon post on the U.S. Computer Emergency Readiness Team’s website, Java 7 Update 10 and earlier could allow a remote user to “execute arbitrary code on vulnerable systems,” putting it at risk for malware. A cyberattacker could exploit the risk to either direct a user to visit a website that would download malicious software to their computer or to access a legitimate website and compromise it with a malicious applet (a “drive-by download”), CERT said.


( PHOTOS: 10 violent video games)

The vulnerability is already being exploited, according to the post, and is reportedly being incorporated into publicly available exploit kits.

Oracle said in a statement Sunday that it is working to correct the security flaw. "Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices. A fix will be available shortly," the company said.

CERT vulnerability analyst Will Dormann says the flaw could affect all of Java’s users, which, according to Oracle, reaches 1.1 billion.

“Some users may be running Java 6, which is unaffected by this vulnerability. However, Oracle has reported that it will be automatically updating Java 6 users to Java 7, starting in December 2012. So before long, that would mean that 1.1 billion desktop systems could be vulnerable, assuming that Oracle's numbers are correct,” Dormann said in an email to POLITICO.

Dormann said making matters worse is the fact that the vulnerability is true for most operating systems, including Windows, OS X and Linux, and browser-level protections will not work against it.

“When you combine these aspects together, you get a very attractive target for an attacker,” he said.

CERT says it recommends disabling Java altogether, as it is unaware of a solution to the issue.

The agency credited user Kafeine on the blog “Malware don’t need Coffee” for pointing out the flaw.



This article first appeared on POLITICO Pro at 2:06 p.m. on January 11, 2013.