Oracle Fixed Java, Yet Hackers Steal Credit Card, Personal Info; Experts Explain How?[VIDEO]
Oracle said Monday Jan.14, 2013 it has released a fix for security vulnerability in its Java software that elevated panic from the U.S. Department of Homeland Security last week.
The US Computer Emergency Readiness Team (US-CERT) last week issued a warning about the Java application. Now, even after the patch was issued, the federal agency continued to recommend users to disable Java in their Web browsers.
Oracle said it released two patches - to address the flaw highlighted by the government, as well as another flaw that the government said was "different but equally severe."
According to ABC news, "This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," said DHS on Monday in an updated alert published on the website of its Computer Emergency Readiness Team.
"To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available."
What are signs and consequences of not disabling Java?
Ads Used By Hackers
Strange ads may pop on the screen while you are browsing and that could attract you to click, say Security experts. When you click such ads, hackers could enter-in and steal the information they need. In addition, special code to take advantage of the flaw is being sold on the black market with a so-called "Web exploit packs" to Internet abusers who can use it to steal credit card data, personal information or cause other harm, according to ABC news.
The packs, sold for upwards of $1,500 apiece, make complex hacker codes available to relative amateurs. This particular flaw even enables hackers to compromise legitimate websites by taking over ad networks. The result: users are redirected to malicious sites where damaging software can be loaded onto their computers.
The sale of the packs means malware exploiting the security gap is "going to be spread across the Internet very quickly," said Liam O'Murchu, a researcher with Symantec Corp. "If you have the opportunity to turn it off, you should."
According to Latin Post, "[The update] might sound like a prompt response, until you consider that security researchers allegedly notified the company about the bug months ago. On the other hand, that the patch apparently leaves in place weaknesses that criminal could still exploit. Or that this is just the latest in a long string of Java problems that have made the language the overwhelming top choice for software-based computer hacks," said a researcher.
How to Disable Java?
In Firefox, select "Tools" from the main menu, go to "Add-ons," and then click the "Disable" button next to any Java plug-ins.
In Internet Explorer, follow the instructions for disabling Java in all browsers through the Control Panel. There is reportedly no way to disable Java in Internet Explorer.
In Chrome, type or copy "Chrome://Plugins" into your browser's address bar, then click the "Disable" button below any Java plug-ins.
In Safari, click on "Safari" in the main menu bar, then "Preferences," then select the "Security" tab and uncheck the button next to "Enable Java."
Mac users probably do not have to worry because Apple already removed Java plug-ins from OS X browsers. According to PC World, Apple apparently learned a lesson last year when it took its time making a Java patch available and as a result more than 600,000 Macs were infected with malware.
Apple distributes a self-compiled version of Java for Macs; it ports Oracle's patches to it according to its own schedule.