As he drove me home after I had surgery on Friday morning, my husband asked me if I heard about the recommendations to disable Java from computers. Obviously, he needs to read my blogs and articles more often because, as I reminded him, I’ve been advocating disabling Java for quite some time, most recently because of an unpatched flaw that threatened serious damage to data.
“I know you have advised that,” he said, “but this time it is coming from the Department of Homeland Security.”
Now that made me curious. Government agencies have warned about cyber dangers, of course, including the outgoing Secretary of Defense’s warning that if we don’t do something about cybersecurity, we could see a catastrophic event that would compare to Pearl Harbor or 9-11. However, this is the first time in my memory that a government agency, particularly one like DHS, has told citizens to remove a specific software application from their computers, just like it is rare to read about cybersecurity issues on a site like Politico:
According to a Thursday afternoon post on the U.S. Computer Emergency Readiness Team’s website, Java 7 Update 10 and earlier could allow a remote user to “execute arbitrary code on vulnerable systems,” putting it at risk for malware. A cyberattacker could exploit the risk to either direct a user to visit a website that would download malicious software to their computer or to access a legitimate website and compromise it with a malicious applet (a “drive-by download”), CERT said.
By Sunday evening, Oracle released a patch for the Java problem. I can’t recall Oracle ever reacting so quickly to a security warning, and I can’t help but think that a warning coming from DHS had something to do with the quick action. Perhaps it was just ironic timing? That’s possible, but on the other hand, I don’t recall a Java flaw getting this much mainstream press, either.
In any case, I believe the time has come for computer users to re-evaluate the need for Java. I don’t have it on my primary computer, and I don’t miss it. This latest flaw isn’t a one-time incident for Java; it is one in a long line of flaws, which Oracle has been either slow to fix or was fixed inadequately. For instance, Matthew Schwartz at InformationWeek pointed out that one of the flaws fixed this weekend was supposed to be fixed back in October.
At least one security expert, Bogdan Botezatu, a senior e-threat analyst with Bitdefender, thinks that we should keep Java around but it should be rebuilt from scratch. I don’t agree, simply because computing has moved beyond Java and surely there are more secure replacements available.